Cannot compare BCRYPT passwords

Question

I am following the guide in this website http://www.gregboggs.com/php-blowfish-random-salted-passwords/ but for some reason when checking if password are the same it fails.

The html is simple, 2 forms one for creating accounts and then one for checking. code can be seen here http://jsfiddle.net/Xf2Tc/

As output i get: salt = salt in database password in database: $2a$05$BcTDz3GVPJrLH3YRPF9FZ.uRBssr0ncQ4exG4/EtmnJ7Fz2CkoVha but the re-ENCRYPTED password is always something REALLY REALLY small. BcPgSBqZz80dw

I must be using the salt wrong or something.

If someoen can edit to be more organized, i would appreciate it.

<?php 
defined( '_JEXEC' ) or die( 'Restricted access' );
    $hostname="exampleHost";
    $database="exampleDB";
    $username="exampleUsername";
    $password="examplePassword";
    if(isset($_POST['Upassword'])&&isset($_POST['account'])&&!empty($_POST['Upassword'])&&!empty($_POST['account']))    {
        try {
            $pdo = new PDO("mysql:host=$hostname;dbname=$database", $username, $password);
            $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

            $Upassword = mysql_real_escape_string($_POST['Upassword']);
            $account = mysql_real_escape_string($_POST['account']);

            //This string tells crypt to use blowfish for 5 rounds.
            $Blowfish_Pre = '$2a$05$';
            $Blowfish_End = '$';

            $Allowed_Chars ='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
        $Chars_Len = 63;

            // 18 would be secure as well.
            $Salt_Length = 21;

            $mysql_date = date( 'Y-m-d' );
            $salt = "";

            for($i=0; $i<$Salt_Length; $i++)
            {
                $salt .= $Allowed_Chars[mt_rand(0,$Chars_Len)];
            }
            $bcrypt_salt = $Blowfish_Pre . $salt . $Blowfish_End;

            $hashed_password = crypt($Upassword, $bcrypt_salt);
            $stmt = $pdo->prepare("INSERT INTO users (reg_date, account, salt, password) VALUES (:mysql_date, :account, :salt, :hashed_password)");
            $stmt->bindParam(':mysql_date', $mysql_date, PDO::PARAM_STR);
            $stmt->bindParam(':salt', $salt, PDO::PARAM_STR);
            $stmt->bindParam(':account', $_POST['account'], PDO::PARAM_STR);
            $stmt->bindParam(':hashed_password', $hashed_password, PDO::PARAM_STR);
            $stmt->execute();
        } catch(PDOException $e) {
            //file_put_contents('PDOErrors.txt', $e->getMessage(), FILE_APPEND);
            echo 'ERROR: ' . $e->getMessage();
        }
    }
            /*
                * to test for correct encryption
                *
            */
                  if(isset($_POST['Upassword2'])&&isset($_POST['account2'])&&!empty($_POST['Upassword2'])&&!empty($_POST['account2']))  {
    try {
        $pdo = new PDO("mysql:host=$hostname;dbname=$database", $username, $password);
        $stmt = $pdo->prepare("SELECT salt, password FROM users WHERE account=:account");
        $stmt->bindParam(':account', $_POST['account2'], PDO::PARAM_STR);
        $stmt->execute();
        $row = $stmt->fetch(PDO::FETCH_ASSOC);

        $Upassword2 = mysql_real_escape_string($_POST['Upassword2']);
        echo $row['salt'];
        $bcrypt_salt = $Blowfish_Pre . $row['salt'] . $Blowfish_End;
        $hashed_password = crypt($Upassword2, $bcrypt_salt);

        echo "PassDB: " .  $row['password'];
        echo '-------------------------------------------';
        echo "result: " .  $hashed_password;
            echo '-------------------------------------------';
        if ($hashed_password == $row['password']) {
          echo 'Password verified!';
          }
          echo 'i am here';

    } catch(PDOException $e) {
    //file_put_contents('PDOErrors.txt', $e->getMessage(), FILE_APPEND);
    echo 'ERROR: ' . $e->getMessage();
    }
}
?>

Use [password_compat](https://github.com/ircmaxell/password_compat) it has simplified the process of password hashing with `BCRYPT` — Baba, Nov 11 '12 at 15:15
I don't understand the "re-encrypted password" bit of your question. That doesn't even look like remotely the same algorithm generated it. — Gian, Nov 11 '12 at 15:19
Is there a reason you are using `mysql_real_escape_string` on `$_POST['Upassword']` & `$_POST['account']`? Since you are using `PDO`, it automatically escapes your data and most likely your `$Upassword` & `$account` now are not what you think they are as you need an open `mysql_connect` connection to work. see also - [stackoverflow.com/questions/10750377/mysql-real-escape-string-with-pdo-php](http://stackoverflow.com/questions/10750377/mysql-real-escape-string-with-pdo-php). — Sean, Nov 11 '12 at 15:28
@Sean My idea is that PDO protects my connection to my database, but I am not sure what would happen with malicious input inside php $hashed_password = crypt($Upassword, $bcrypt_salt). I made a similar question where I validated user input using php, and then if correct I would query, buy answer was that I was wrong http://stackoverflow.com/questions/13053318/is-this-dynamic-column-table-php-select-query-safe/13053366#13053366 — Juan, Nov 11 '12 at 16:31
@Gian First part creates salt + encrypts code, second part retrieves salt from data base and encrypts the users plain text "input" password and checks if its the same as part 1. So in theory the full encryption/hashing is done in part one, but in part 2 only hashing is done. — Juan, Nov 11 '12 at 16:32

score 1 · Accepted Answer · answered Nov 11 '12 at 17:15

1

As you see I am separating my code into 2 if statements, meaning my Blowfish_Pre and $Blowfish_End were not being set when checking for correct password.

Solution either set this variables before the if statement or to use set them twice.

Hope it helps someone.

answered Nov 11 '12 at 17:15

Juan

521
1
11
28

Thanks for reporting back Juan, you may accept your own answer after a while. – Maarten Bodewes Nov 12 '12 at 01:11

Cannot compare BCRYPT passwords

1 Answers1