0

I generated an encrypted string with using blowfish encryption function (crypt()) in php and stored it in database. How can I check correctness of submitted password then?

For eg. during registration, I defined my pass as "1234" and then generated a random key and then my blowfish encrypted password something like "$2a$08$xPIviMLmVMHLQdzb$$$$$.OdQVKDPJeK4KIcdqnngIgv41lILjKR." So, when user comes back, how can I check correctness of his/her password? Is there any comparing function of two encrypted string from the same base password or another efficient way? Thanks in advance.

JoshuaJeanThree
  • 1,382
  • 2
  • 22
  • 41

2 Answers2

1

Simply pass the user input from the form into the crypt function, with the hash in the database.

For example:

<?php
if (crypt($passwordFromPost, $hashedPasswordInDb) == $hashedPasswordInDb)
{
   // User has been authenticated
}
Matt Kent
  • 1,145
  • 1
  • 11
  • 26
0

Passwords are usually not encrypted but hashed. It is not possible to regenerate the original password from a hash.

To find out more about password hashing in PHP the manual is a good starting point PHP manual

Markus Müller
  • 2,611
  • 1
  • 17
  • 25
  • 1
    One does encrypt passwords if one needs to recover it (like in configuration files where you need to recover the original password to use it as a login for i.e. the database). The question is about users logging in to his application, so he does not need the original password. Could you be so kind to explain why I need to encrypt a password if I hash it afterwards? – Markus Müller Jan 26 '15 at 13:44