password_hash and password_verify returns false
-
21-12-2019 - |
Question
I have the following password:
123
Now i hash that and it returns the following key:
$2y$10$rSq.2M7Ikc.QPhVtYlp1Nu8HI.Eq5fUgVWn25J
Now i try to verify the same key using:
return password_verify(123, $2y$10$rSq.2M7Ikc.QPhVtYlp1Nu8HI.Eq5fUgVWn25J);
however this returns false.
Can anyone tell me why?
Update
this is my full code:
<?php
/**
* Created by JetBrains PhpStorm.
* User: Marc
* Date: 14-12-13
* Time: 13:56
* To change this template use File | Settings | File Templates.
*/
class Security {
/**
* @param $string
* @return mixed
*/
public function encrypt($string) {
return password_hash($string, PASSWORD_DEFAULT);
}
/**
* @param $string
* @param $hash
* @return mixed
*/
public function validate($string, $hash) {
return password_verify($string, $hash);
}
}
$hash = $this->db->template("SELECT password FROM User WHERE username = '".$username."'", READ_FROM_QUERY)['password'];
$validate = $this->getSecurity()->validate($password, $hash);
I try to insert the following string:
Helloworld
However $validate = false
;
The password has returns to $2y$10$VbicsFaGN9d3ggQTNYIto.Bp6x/rbjpsBe2kneEhJ9oP2KdPsZ7hy
If i try and rehash it, it returns the same value soo they must be equal to each other so why does it return false?!??!
Returns false as well
$validate = $this->getSecurity()->validate((string)$password, (string)$hash);
Solution
For your first example, with a password of 123, the problem is that you are truncating the hash.
$settings = array('cost' => 10, 'salt' => 'rSq.2M7Ikc.QPhVtYlp1Nu');
echo password_hash('123', PASSWORD_BCRYPT, $settings);
// $2y$10$rSq.2M7Ikc.QPhVtYlp1Nu8HI.Eq5fUgVWn25J/WWUma/RrNWKFay // What is echoed
// $2y$10$rSq.2M7Ikc.QPhVtYlp1Nu8HI.Eq5fUgVWn25J // Your hash
I would assume that your database colum has a maximum length of 45 characters and that's why it is truncating it.
For the second string, the problem is that somewhere along the line you are converting the password to a lower case.
// Uppercase 'H'
$settings = array('cost' => 10, 'salt' => 'VbicsFaGN9d3ggQTNYIto.');
echo password_hash('Helloworld', PASSWORD_BCRYPT, $settings);
// $2y$10$VbicsFaGN9d3ggQTNYIto.qFAer7kUmKmcy6y9RCNzaaKD7fJraba
// Lowercase 'h'
$settings = array('cost' => 10, 'salt' => 'VbicsFaGN9d3ggQTNYIto.');
echo password_hash('helloworld', PASSWORD_BCRYPT, $settings);
// $2y$10$VbicsFaGN9d3ggQTNYIto.Bp6x/rbjpsBe2kneEhJ9oP2KdPsZ7hy
So when you try to validate using Helloworld
it will return false because the hash is for helloworld
.
You really need to be more careful because both of these are really careless errors. And note, you should NEVER convert passwords to a certain case (upper or lower) because this weakens them significantly.