PHP Crypt() Compare two crypted strings

Question

Is it possible to compare two crypt^Docs-ed strings and see if they match?

A user logs in, a session is created storing the user's ID and its corresponding crypt-ed password hash. In the background a check keeps running to see if the session (read, password) is still valid.

So technically I want to compare the crypt-ed password in the database with the crypted password in the session. Is this possible?

EDIT:

Should've said I was using the following method to crypt a password;

    function better_crypt($input, $rounds = 7)
  {
    $salt = "";
    $salt_chars = array_merge(range('A','Z'), range('a','z'), range(0,9));
    for($i=0; $i < 22; $i++) {
      $salt .= $salt_chars[array_rand($salt_chars)];
    }
    return crypt($input, sprintf('$2a$%02d$', $rounds) . $salt);
  }

Answer 1

Just check the PHP Manual on crypt. The example clearly states how you can validate the password (so how to compare).

<?php
$hashed_password = crypt('mypassword'); // let the salt be automatically generated

/* You should pass the entire results of crypt() as the salt for comparing a
   password, to avoid problems when different hashing algorithms are used. (As
   it says above, standard DES-based password hashing uses a 2-character salt,
   but MD5-based hashing uses 12.) */
if (crypt($user_input, $hashed_password) == $hashed_password) {
   echo "Password verified!";
}
?>

You can (of course) compare two hashed passwords directly (as they are both strings), but they are just not guaranteed to be equal.

Just be careful that crypt may not be "very" secure. Read more at Secure hash and salt for PHP passwords and see the PHP manual entry about password hashing: http://php.net/faq.passwords - that should get you started.

Answer 2

Hashed passwords can be compared for equality.

Answer 3

You simply can compare the two strings with eachother. if ($_SESSION['hash'] == $databasehash).

Why compare the two passwords? May I suggest you create a session table in the database, and check if the user is still logged in. Also bind this to IP, or let the user have the option to do so. It adds more security.

Additionally you can store an cookie if the user comes back after the $_SESSION has expired. Compare the cookie with the stored IP and hash if it's still feastable.

Answer 4

Is it possible to compare two crypted strings and see if they match? [for password matching]

Yes. Not only is it possible, it's recommended best practice. You should only ever store the hashed version of a password in the DB, never the actual password, so you should only ever have the hased version to compare against. If you do that, you obviously have to compare the hashes, because you can't get back to the original anyway.

But make sure you use a secure hashing routine such as bcrypt. Don't use md5 for the hashing or sha1, or anything like that.

It is also recommended to use a well-tested library for managing your passwords, rather than writing your own. I suggest this one: https://github.com/ircmaxell/password_compat -- it's written by one of the core PHP devs responsible for security, and the same functions provided by this lib will be built-in as part of PHP itself as of the next PHP version (v5.5), due out in a month or two, so it's future-safe too.

Answer 5

Yes, that's the purpose of hashing passwords.

One important caveat is that hash functions are not real bijective maps, and they feature a certain degree of collision - just to point out that hashing != encryption.