6

After some troubleshooting, I have determined that when I hash a password using PHP's password_hash function, the encryption identifier is $2y$. However, when I use the password_verify function to compare the stored hashed password with the user input password, password_verify will not return true. If I generate a new password using the $2a$ identifier on https://www.bcrypt-generator.com/ and replace the stored hashed password with it, it returns true.

I'm hoping someone can explain why password_hash($password, PASSWORD_DEFAULT) is using $2y$ and why password_verify() is using $2a$. Or anything else I might be doing wrong here for that matter. I am doing this locally on WAMP Server running PHP Version 7.0.10.

Here is an example of the code I am having trouble with ($2y$ identifier will not return true).

<?php
// $hashNotWorking came from password_hash("testing", PASSWORD_DEFAULT)."\n";
$hashNotWorking = '$2y$10$DNPos6f7Vo4Z2IrYU./eCObD7BMkwlkK9yiYjb0hvnI14B1dbFHbC';

if (password_verify('testing', $hashNotWorking)) {
 echo 'Password is valid!';
} else {
 echo 'Invalid password.';
}
?>

Here is an example of the code that is working ($2a$ encryption NOT generated by password_hash function).

<?php
// $hashWorking came from https://www.bcrypt-generator.com/
$hashWorking = '$2a$08$uP75n/pDhUZo6qOOM3DuPug5U2fcSXW4f3MUz8p3SlO5yPZ4fLf9O';

if (password_verify('testing', $hashWorking)) {
 echo 'Password is valid!';
} else {
 echo 'Invalid password.';
}
?>
Dharman
  • 30,962
  • 25
  • 85
  • 135
Adam.M
  • 124
  • 7
  • http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php#comment8558243_6337021 see that comment and the rest on that page. – Funk Forty Niner Nov 13 '16 at 05:48
  • 1
    I'm doubting what you posted for the first one to be properly hashed. Make sure that there wasn't a line break or
    introduced during hashing; I've seen that happen before.     – Funk Forty Niner Nov 13 '16 at 05:53
  • Thank you Fred. I was using the "\n" because that's what the php.net example had. I have also tried without and still can't get a true. I am reading the link you posted now. Trying to do more research. – Adam.M Nov 13 '16 at 06:05
  • 1
    `echo $var = password_hash("testing", PASSWORD_DEFAULT)."\n";` post that in your hash creation, copy the hash from it into your first variable and it will work. – Funk Forty Niner Nov 13 '16 at 06:07
  • also, if it's as you say that it's coming for user input, make sure there isn't any whitespace being introduced somewhere. Use `trim()` against it, I also seen that happen before. – Funk Forty Niner Nov 13 '16 at 06:09
  • Outstanding! When I use your snippet I get a hashed password that will verify. It must be, like you said, adding a
    or somehow being done incorrectly when I was hashing it. Thank you very much for the assistance!     – Adam.M Nov 13 '16 at 06:16
  • you're welcome. I posted an answer below which you can mark as accepted in order to properly close the question. – Funk Forty Niner Nov 13 '16 at 06:21

1 Answers1

4

I suspect that there might have been whitespace introduced in the original hash and/or a <br>, or that some may have been introduced by the user.

I have seen cases like this often before.

If that is the case, trim() it.

Create a new hash as per what I mentioned in comments and it will work.

echo $var = password_hash("testing", PASSWORD_DEFAULT)."\n";

Then paste it in place of what your present hash is.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141