Compare two hashes with bcrypt (PHP)

Question

in my database I saved the the passwords with

password_hash($user->getPassword(), PASSWORD_BCRYPT);

In the login form the user enter this password and I encoded the password to a bcrypt string and submit the crypted password (because I've no SSL) to the server.

So my question is it is possible to compare two hashes which are generated with bcrypt?

No. Not unless they use exactly the same salt and cost parameter. — Mike, Nov 03 '14 at 19:43
Ah ok that means if I use the same salt and costs it will be possible? But I think it is very bad to show the salt and the costs in the javascript... — user2831042, Nov 03 '14 at 19:46
@user2831042 Salt and cost are not sensitive items. You should be worrying that you're serving the site and your critical security functionality unencrypted and attackable. — ceejayoz, Nov 03 '14 at 19:47
@user2831042 If you ever need to use the same salt for multiple hashes, you're doing something wrong. As ceejayoz says, get an SSL certificate. — Mike, Nov 03 '14 at 19:50
possible duplicate of [About password hashing system on client side](http://stackoverflow.com/questions/3715920/about-password-hashing-system-on-client-side) — Mike, Nov 03 '14 at 19:58

ceejayoz · Answer 1 · 2014-11-03T19:55:23.603

In the login form the user enter this password and I encoded the password to a bcrypt string and submit the crypted password (because I've no SSL) to the server.

Stop what you're doing and go buy an SSL certificate. There are a few spots (https://www.startssl.com/ is one) you can get one for free, or you can pay $7 to someone like Namecheap.

You have implemented the illusion of security. Hashing the password on the client side offers no meaningful security benefit - any MITM attacker simply has to serve adjusted copies of your JavaScript to someone they're attacking (or just intercept the hashed password, which is essentially the user's real password in your scheme).

Compare two hashes with bcrypt (PHP)

1 Answers1