BCrypt Verify Problem

[matt smith]

I'm storing passwords using the bcrypt add-on. It hashes the password, and it gets stored in the DB just fine. Problem is when I try to use the verify function passing in the (cleartextpassword, hashedpassword) it always returns false. I double-checked that all the data getting passed to the function is correct. I've tried both passing in my own salt and having one generated.

Any ideas?

Thanks.

[stu warneski]

don't you just get the hashed from the db, hash the cleartext verified passed in with the same salt used to store the db hashed version, then compare?

echo the hashed vs the verified hash, perhaps they are not a match?

[matt smith]

No - they are different values each time you hash, even when using the same salt. The verify method does something different.

[bcosca]

$bcrypt=\Bcrypt::instance();

// Without a salt

$hash=$bcrypt->hash('hell0_w0rld');

var_dump($hash);

var_dump($bcrypt->verify('hacked_this',$hash));

var_dump($bcrypt->verify('hell0_w0rld',$hash));

// Using a salt that generates a constant hash

$hash=$bcrypt->hash('hell0_w0rld','WelcomeToTheWastelands');

var_dump($hash);

var_dump($bcrypt->verify('hacked_this',$hash));

var_dump($bcrypt->verify('hell0_w0rld',$hash));

Output:

string '$2y$10$JxrnXNwX7VF2kBsD6zDzKOo8yVnGFzQyVCRpmIHPe/JPDYFtJMXmG' (length=60)

boolean false

boolean true

string '$2y$10$WelcomeToTheWastelandeBWxFLqdLbyzz2HsEtHelwDeW/SiiSTK' (length=60)

boolean false

boolean true

[ikkez]

Also notice that you need minimum PHP version 5.3.7 to make bcrypt work properly.

[matt smith]

Thanks so much for the replies. Of course in the end it wasn't F3's fault, but how it was getting stored into the database. I didn't realize with Cortex that when you have a set_field function, that it automatically gets called, I just figured that was naming convention. So it was being hashed twice.