1

I'm trying to find a hashing algorithm to use to save my passwords in the DB (along with a salt). I found this on SO: How do you use bcrypt for hashing passwords in PHP?. The top answer has a library that seems to work. I'm just a bit confused by the verify method.

To run the script, the author of the library provides:

$bcrypt = new Bcrypt(15);

$hash = $bcrypt->hash('password');
$isGood = $bcrypt->verify('password', $hash);

The hash method takes the input string and hashes it using mcrypt + a salt. The result is returned to $hash. Then the verify method takes the same input as hash method + $hash. verify then calls mcrypt + the value of $hash (instead of some random salt) -- and somehow the results are the same $hash???

Simplified:

hash = password + salt
verify = password + hash
verify = hash <-- huh???

What did I miss?

ALSO:

I plan to modify the code such that hash method accepts a $salt parameter. I will make getSalt a public method. This way, I can get a salt, store it in the DB, store the hash in the DB, and use user's input + salt to see if it hashes to what I have stored in the DB. Any problems with this idea?

Community
  • 1
  • 1
StackOverflowNewbie
  • 39,403
  • 111
  • 277
  • 441

2 Answers2

4

I'm not familiar with the actual bcrypt, but something along the following lines must be what happens:

When you create the "hash", $bcrypt->hash('password') returns a string that contains both the hash value and the initial salt.

When you subsequently say $bcrypt->verify('password', $mystring), the function first reads the salt part out of your input string, then creates the hash again with that salt, and finally compares that computed hash with the hash part of your input string.

In any salinated hashing scheme, you will always have to store the salt along with the hash value.

Kerrek SB
  • 464,522
  • 92
  • 875
  • 1,084
2

The hash in this case also contains the salt. It's concatenated to the beginning of the string, usually as something like $2a$12$SALT.... Passing the hash to verify is just done to use that salt value again, the rest of the hash is ignored. That also means you do not need to modify the function for use with salts, that's already part of the algorithm.

deceze
  • 510,633
  • 85
  • 743
  • 889