password_hash and password_verify returns false

Question

I have the following password:

123

Now i hash that and it returns the following key:

$2y$10$rSq.2M7Ikc.QPhVtYlp1Nu8HI.Eq5fUgVWn25J

Now i try to verify the same key using:

return password_verify(123, $2y$10$rSq.2M7Ikc.QPhVtYlp1Nu8HI.Eq5fUgVWn25J);

however this returns false.

Can anyone tell me why?

Update

this is my full code:

<?php
/**
 * Created by JetBrains PhpStorm.
 * User: Marc
 * Date: 14-12-13
 * Time: 13:56
 * To change this template use File | Settings | File Templates.
 */
class Security {
    /**
     * @param $string
     * @return mixed
     */
    public function encrypt($string) {
        return password_hash($string, PASSWORD_DEFAULT);
    }

    /**
     * @param $string
     * @param $hash
     * @return mixed
     */
    public function validate($string, $hash) {
        return password_verify($string, $hash);
    }
}

    $hash = $this->db->template("SELECT password FROM User WHERE username = '".$username."'", READ_FROM_QUERY)['password'];
$validate =  $this->getSecurity()->validate($password, $hash);

I try to insert the following string:

Helloworld

However $validate = false;

The password has returns to $2y$10$VbicsFaGN9d3ggQTNYIto.Bp6x/rbjpsBe2kneEhJ9oP2KdPsZ7hy

If i try and rehash it, it returns the same value soo they must be equal to each other so why does it return false?!??!

Returns false as well

$validate =  $this->getSecurity()->validate((string)$password, (string)$hash);

Answer 1

For your first example, with a password of 123, the problem is that you are truncating the hash.

$settings = array('cost' => 10, 'salt' => 'rSq.2M7Ikc.QPhVtYlp1Nu');                                        
echo password_hash('123', PASSWORD_BCRYPT, $settings);
// $2y$10$rSq.2M7Ikc.QPhVtYlp1Nu8HI.Eq5fUgVWn25J/WWUma/RrNWKFay // What is echoed
// $2y$10$rSq.2M7Ikc.QPhVtYlp1Nu8HI.Eq5fUgVWn25J                // Your hash

I would assume that your database colum has a maximum length of 45 characters and that's why it is truncating it.

For the second string, the problem is that somewhere along the line you are converting the password to a lower case.

// Uppercase 'H'
$settings = array('cost' => 10, 'salt' => 'VbicsFaGN9d3ggQTNYIto.');
echo password_hash('Helloworld', PASSWORD_BCRYPT, $settings);
// $2y$10$VbicsFaGN9d3ggQTNYIto.qFAer7kUmKmcy6y9RCNzaaKD7fJraba

// Lowercase 'h'
$settings = array('cost' => 10, 'salt' => 'VbicsFaGN9d3ggQTNYIto.');
echo password_hash('helloworld', PASSWORD_BCRYPT, $settings);
// $2y$10$VbicsFaGN9d3ggQTNYIto.Bp6x/rbjpsBe2kneEhJ9oP2KdPsZ7hy

So when you try to validate using Helloworld it will return false because the hash is for helloworld.

You really need to be more careful because both of these are really careless errors. And note, you should NEVER convert passwords to a certain case (upper or lower) because this weakens them significantly.