PHP - hashing passwords with bcrypt

Question

I have question about valid hashing passwords:

login.php

$login = $_POST['login'];
$password = $_POST['password'];
$hash = password_hash($password, PASSWORD_DEFAULT);
if(!empty($login) && !empty($password) && password_verify(??){

I want to make secure login and I know that I have to verify the inputted password with existing hash (stored in database?). Also I know that bcrypt everytime makes new hash (because of different salt size etc).

The problem is that I don't know how to put this hash into database because I don't want to register new users, I have static list of users (exactly two: admin and user).

I tried manually copy/paste hash but it wouldn't work as I mentioned earlier that every time I run script new hash is created.

Can anyone help me how to put bcrypt hash in database (only once) so I can only check if inputted password is same as the one in database?

Do I need extra variables to store this hash?

EDIT:

login.php

<?php
session_start();
include("log.php");
include("pdo.php");
$login = $_POST['login'];
$password = $_POST['password'];

$adminHash = '$2y$10$lxPRtzzPDUZuPlodhU4QquP.IBrGpkjMNplpNgN9S1fEKd64tJ5vm';
$userHash = '$2y$10$Klt345wT66vA.4OAN5PEUeFqvhPQJ4Ua/A4Ylpc1ZcnJZv/hafgSu';

if(!empty($login) && !empty($password) && (password_verify($password, $adminHash) || password_verify($password, $userHash))){
    $query = $pdo->prepare('SELECT * FROM xx WHERE login = ? AND admin = ?');
    $query->execute(array( $login, 1));
    $result = $query->fetchAll();
    if(!empty($result)) {
        $_SESSION['logged_admin'] = 1;
    }
    else {
        $query->execute(array( $login, 0));
        $result = $query->fetchAll();
        if(!empty($result)) {
            $_SESSION['logged_user'] = 1;
        }
        else {
            $_SESSION['logged_error'] = 1;
        }
    }
}
else $_SESSION['logged_error'] = 1;
header("Location:index.php");

?>

it seems to be working but i dont know if it's best/safest solution.
With more passwords it will be too complicated i guess, still looking for best option!
What if i need more users? now every user have same hash and it's dangerous i get it, how to make it safe? generate hash for every user and make array or hashes?

Just store the hash wherever you store the static user list, and then compare the submitted password with the hash using password_verify — JimL, Dec 11 '16 at 12:14
I think this post describes the best way to go about this: http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php/6337021#6337021 — Christopher Hughes, Dec 11 '16 at 12:15
@JimL thanks for answer, you mean storing it in script? when i said about static list of users i was talking about database. Where should i store that kind of information? any idea? — dmnmlk, Dec 11 '16 at 12:19
@ChristopherHughes so if i want to have 10 users i need store 10 hashes? and also i need to password_verify with everyone of them? i know there is better answer for this. — dmnmlk, Dec 11 '16 at 12:36
@dmnmlk if you have the users in the databse then add the hashes to the same table — JimL, Dec 11 '16 at 18:48

score 1 · Answer 1 · answered Jan 19 '19 at 08:50

1

You fetch first the one that has password_hash() from your database, and then compare it with password_verify($password, $storedpassword) like this : link

answered Jan 19 '19 at 08:50

rizujikeda

47
6

PHP - hashing passwords with bcrypt

login.php

login.php

1 Answers1