0

I'm obviously new to blowfish encryption to be asking this. I believe to have one side of the equation figured out but cannot figure out how to login once the hash is in the DB. I have the following for encrypting the password on registration: 

    $blowfish_hash = "$2y$10$";
    $salt_length = 22;

    $salt = Generate_Salt($salt_length);
    $hash_combined = $blowfish_hash . $salt;

    $hash = crypt($password, $hash_combined);

    $password = $hash;

The Generate_Salt() function is as follows: 

function Generate_Salt($length) {

  $unique_rndm_str = md5(uniqid(mt_rand(), true));
  $base64_string = base64_encode($unique_rndm_str);

  $mod_Base64_str = str_replace('+', '.', $base64_string); 
  $salt = substr($mod_Base64_str, 0, $length);

    return $salt;
}

Once I register I get this nice long hash - great! but, when I go to login I'm unsure on how to call the hash to check against the given password: $_POST['log_password'];

Using md5 is was easy, I just encrypted this way $password = md5($password); and recalled this way $password = md5($_POST['log_password']); however reading up I realize that this is not a secure method.

I've been at this for hours, can anyone shed some light on this for me please? Any help would be appreciated.

ep

  • 1
    Possible duplicate of [Secure hash and salt for PHP passwords](https://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords) – iainn Mar 21 '18 at 10:59
  • 4
    Please dont __roll your own__ password hashing. PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat) – RiggsFolly Mar 21 '18 at 11:00

1 Answers1

1

It is much easier than you think. Just use the function password_hash() instead, it will do the call to the crypt() function and handles the generation of a safe salt.

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($_POST['password'], PASSWORD_DEFAULT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($_POST['password'], $existingHashFromDb);
martinstoeckli
  • 23,430
  • 6
  • 56
  • 87
  • I figured out the other half on my own code & it works fine, however your suggested method is cleaner & requires less code. –  Mar 22 '18 at 07:41