0

The title is self explanatory. The following hashes are generated for the pass 'hi'. As you can see each hash is different than the last. Not sure how this is possible for a 1 way encryption algo. Please help

  1. $2y$10$W3ZkFyZl/72RZn4S.98y/OnqA/efNqoY4blB2AHimJlgDANYA9qKy

  2. $2y$10$juwL/E/Z9vh5Hj6An/.nauzeFw4vhXaQSR7g7eP3.gZ9JLsREXNi6

  3. $2y$10$11GUeaQ5rhJ21wHIUzAt5OM4Ol0qJ4pV5ZB//OiK1GuJYMg7o1PAu

  • 3
    It generates a different salt each time, so the resultant hash is also different. – Michael Berkowski Jan 12 '21 at 20:26
  • Did you check https://www.php.net/manual/de/function.password-verify.php if all three will validate to TRUE or is this just a background question on encryption mechanisms of https://www.php.net/manual/de/function.password-hash.php? – Alexander Dobernig Jan 12 '21 at 20:28
  • @MichaelBerkowski So for implementing the following function into a 'log in' portal would you store the first hash generated as the password? Or how will you know which hash to use such that the password will generate it each time? 1. user enters password. 2. Password_hash user pass. 3. Compare user pass hash to db hash. Will these not be different each time? –  Jan 12 '21 at 20:29
  • @AlexanderDobernig We currently use the password_verify function however it will only work on some passwords. For example we had users that were unable to log into the website for hashes with several special characters. I am having a hard time explaining and reasoning what is happening in the back end. –  Jan 12 '21 at 20:30
  • 3
    @Stonen2 You must use [`password_verify($password_from_login, $hash_from_database)`](https://www.php.net/manual/en/function.password-verify.php) to test the password. You store the hash from `password_hash()` in the database, use `password_verify()` to compare it. – Michael Berkowski Jan 12 '21 at 20:31
  • 2
    One initial call to `password_hash()` is all you ever need - store that value and you will not call `password_hash()` again unless you reset the password. – Michael Berkowski Jan 12 '21 at 20:32
  • @MichaelBerkowski Thank you!! –  Jan 12 '21 at 20:34
  • If you're seeing failures on password_verify(), I'd start by checking two things: 1) Make sure your database field is big enough to hold these long hash strings, and 2) Make sure the code that gets run before saving the hash doesn't strip any characters that the user typed. – Alex Howansky Jan 12 '21 at 20:36
  • FTR, it's supposed to work like this. a) It protects against using precomputed hashes to find passwords (google "rainbow tables"). b) It makes it impossible to tell if two users use the same password. – Peter Jan 13 '21 at 13:10

1 Answers1

-1

Are your database fields large enough? If you cut the hash it will result in invalid verifications. The hashes do not have the same length! Not even for the same password.

Possibly you are modifying (only some) hashes upon inserting it into the database or retrieving from the database: ??? use prepared statements to insert it into the db.

Do not use any sanitation on the hash!

see short example 10 times the pw is the same- the HASH is different and 10 times the verify is OK :-)

<?php


for($i=1;$i<10;$i++)
{
$pw = "öä?hgu.+?w55&rg:9/stf";

echo $pw_hash= password_hash($pw, PASSWORD_DEFAULT );

echo "<br>";
echo password_verify($pw, $pw_hash)? "passwort ok": "passwort falsch";
echo"<p> next iteration: <br>";
}
Alexander Dobernig
  • 753
  • 6
  • 21