2

Alright, so I tried to make my users info super secure by adding " . sha1($_POST['password']) . " when inserting their password when they register. THAT WORKS great, looking at the database, I have no clue what their password is.

Now the problem is logging in. I'm running some tests and when I try to log in, the password 12345 doesn't match the encrypted password using $password=sha1($_POST['mypassword']);

Any idea why?

Charles
  • 50,943
  • 13
  • 104
  • 142
Jason
  • 21
  • 1
  • 2
  • You're saying you're hashing the password, storing it in the database, then hashing it again later and getting a different result? You're doing something wrong (`sha1` always returns the same output for a given input), but we don't have enough information to know what – Michael Mrozek Jun 14 '10 at 15:06
  • Is the hash in your db `8cb2237d0679ca88db6464eac60da96345513964`? – kamasheto Jun 14 '10 at 15:06
  • sha1('12345') will always equal sha1('12345'). Is there any chance you were wrong about the value of $_POST['mypassword'] that you stored? – dmazzoni Jun 14 '10 at 15:07
  • Also, your design is very vulnerable. A hacker could still guess people's passwords by running sha1() on some common passwords and comparing them to these strings. To fix this, you'll need to add "salt". Do a Google search for "salt cryptography" to learn more. – dmazzoni Jun 14 '10 at 15:09
  • Maybe also add some salt to the hash @dmazzoni, you were faster :-) – jdehaan Jun 14 '10 at 15:11
  • Don't use SHA1 for password storage; check out [an earlier answer](http://stackoverflow.com/questions/10916284/how-to-encrypt-decrypt-data-in-php/10945097#10945097) that discusses this in more detail. – Ja͢ck Oct 09 '13 at 14:11

1 Answers1

4

Double check the size of the password column on your database... ensure that it's holding the entire sha1 hash. (varchar(40))

When hashing the password, what is the value of the raw_output parameter? If true, then your return is a 20-character binary string; if false, it's a 40-character ASCII string. Ensure you can store a binary value on the database if the former, or change to using the latter.

Mark Baker
  • 209,507
  • 32
  • 346
  • 385
  • Mark you are 100% correct, the length was at 32. thanks @dmazzoni, I'm researching salt now. It's a full time job staying up with all this stuff. – Jason Jun 14 '10 at 15:14
  • Have a look at Josh K's answer to http://stackoverflow.com/questions/3038136/am-i-supposed-to-store-hashes-for-passwords about salting.... it's a nice simple worked example – Mark Baker Jun 14 '10 at 15:22
  • 1
    As other people have pointed out you should salt your passwords... better yet, use PBKDF2 (http://en.wikipedia.org/wiki/PBKDF2). Recent version of PHP already have a built-in function hash_pbkdf2. If you're using an older version of PHP, you can use the PHP implementation linked to under "implementations" in the Wikipedia article. – Vinay Pai Dec 25 '12 at 00:07
  • 1
    @VinayPai Newer versions of PHP have `password_hash()` and `password_verify()` as well. – Ja͢ck Oct 09 '13 at 14:11