0

I am trying to set up a secure login & register system using crypt() as I have read that that is php's stored function for bcrypt

I am registering a user but taking their password and and then crypting it.

$hashed_password = crypt($mypassword);

I then store $hashed_password in the db

then when the user logs in I am trying to match the password to whats stored.

I found this function on php.net but cant get it to work

$password is the stored crypted password and $mypassword is the users input

if ($password == crypt($mypassword, $password)) {
    echo "Success! Valid password";
}

I understand that crypt generates a unique hash each time its called so I dont understand how the function can work.

Am I completeley missing the point as I read that crypt() is a one function and decrypt does not exist?

any help greatly appreciated in not only showing the error of my ways but also in completing this secure login

Barry Watts
  • 784
  • 2
  • 14
  • 43
  • 1
    This question will help: http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php – Sammaye Aug 16 '13 at 11:04

5 Answers5

2

You're using second parameter in your crypt() call, so it's treated as salt. To compare properly, you can use:

if ($password == crypt($mypassword)) 
{
    echo "Success! Valid password";
}

But PHP provides native functionality for hashing routines - it is introduced if 5.5 version and called password hashing.

For PHP versions below 5.5 down to 5.3.7, there is a backported compatibility function that does the same: https://github.com/ircmaxell/password_compat Just include it and use it.

But note that you have to read the hashed password from the database and then compare it with PHP. You cannot query the database with a newly created password hash to find the user.

Sven
  • 69,403
  • 10
  • 107
  • 109
Alma Do
  • 37,009
  • 9
  • 76
  • 105
  • As I said above you would want a `===` for the if statement due to PHP converting the results down to int to compare them, they will not compare by equalness – Sammaye Aug 16 '13 at 11:33
  • @BarryWatts Use the one in the linked question in the comments, the accepted answer has a pre-5.3 edition – Sammaye Aug 16 '13 at 11:34
  • I tried that but I got an error back from my server saying 16-Aug-2013 06:41:12] PHP Fatal error: Uncaught exception 'Exception' with message 'bcrypt not supported in this installation. See http://php.net/crypt' – Barry Watts Aug 16 '13 at 11:47
  • @BarryWatts You need to install crypt, you cannot use PHPs native hashing functions without crypt – Sammaye Aug 16 '13 at 11:54
  • unfortunatley I am on a shared server so this is not possible – Barry Watts Aug 16 '13 at 11:59
  • @BarryWatts You have little choice unfortunately, you could try: http://www.php.net/manual/en/function.hash-pbkdf2.php but I believe that relies on the crypt library, you could build your own hashing mechanism (though I realllllllllly would not recommend to) or you could find a custom function – Sammaye Aug 16 '13 at 12:02
0

Assuming that the encrypted password from the database is $db_pass and the entered password is $new_pass. Then here's how you test it:

if($db_pass === crypt($new_pass)){
    echo "Success!";
}

This post will help...

Community
  • 1
  • 1
Anshu Dwibhashi
  • 4,617
  • 3
  • 28
  • 59
  • You would wanna do a `===` else PHP will convert both to ints and wont actually test their true equalness – Sammaye Aug 16 '13 at 11:32
0

Assuming the current database is reading the password, all we have to do is:

} elseif (crypt($pass, $row['pass']) == $row['pass']) {
Alvin567
  • 305
  • 2
  • 8
-1

There are few steps you need here..this tutorial will help however: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL

Essentially you want to have the password encrypted in the database - eg. so if the password as 'mypassword' it would be stored in some random string like '3ifdgk5ty=-dlsfs'.

Read up on sha1 (md5 is no longer considered secure). Never used crypt myself however sha1() seems to do the job for me when used in conjunction with a salt (an additional text string added to the password to make it harder to break hack)

Zabs
  • 13,852
  • 45
  • 173
  • 297
  • Please don't recommend SHA1 for hashing passwords. There are far better alternatives out there, like PBKDF2, bcrypt or scrypt. – Carsten Aug 16 '13 at 11:05
  • @Carsten, I wouldn't have commented if you had mentioned about MD5, what's wrong with SHA-1 ? I am voting up the post as it doesn't require a downvote. – Shankar Narayana Damodaran Aug 16 '13 at 11:06
  • Good point - bcrypt is a better alternative having done a quick search – Zabs Aug 16 '13 at 11:07
  • 1
    @ShankarDamodaran sha1 is not much better than md5 when it comes to calculation attacks via Cuda cores – Sammaye Aug 16 '13 at 11:08
  • and how do I incorporate bcrypt into this function. I thought bcrypt was part of php's crypt function – Barry Watts Aug 16 '13 at 11:10
  • @BarryWatts Simple: use PHP's new [password hashing functions](http://www.php.net/manual/en/book.password.php). They're available for PHP >= 5.5. For PHP >= 5.3.7, there's a [userland implementation of these functions](https://github.com/ircmaxell/password_compat). – Carsten Aug 16 '13 at 11:25
  • I am on php 5.2.17 and this doesnt support bcrypt – Barry Watts Aug 16 '13 at 11:48
-3

You can not decrypt it, because hash is one way. So you can not obtain the original input via hash. You can not reveal users passwords even if you have access to the database.

It is being used like this: user writes password into input -> submits form -> password goes into database like following:

sha1($_POST['password']);

then you store this hashed password in database.

Whenever user wants to log in, he submits form again and it does this logic ($result['password']) comes from the database query:

if(sha1($_POST['password']) == $result['password']) {
  //password match, so lets log you -> set sessions, cookies and so on
}
Wiggler Jtag
  • 669
  • 8
  • 23