php - Hashing password using crypt does not work on the login it displays incorrect pass -
i have register page allow user insert password need hash become more secure in database work fine
but when come login entered password not match register 1 how fix problemmm
this first time use hash did not work want
this register code hash:
//add md5 hash password function cryptpass($input, $rounds = 9) { $salt = ""; $saltchars = array_merge(range('a','z'), range('a','z'), range('0','9')); for($i = 0; $i<22; $i++) { $salt .=$saltchars[array_rand($saltchars)]; } return crypt($input, sprintf('$2y$%02d$test$', $rounds) . $salt); } $hashedpass = cryptpass($pass1); echo $hashedpass;
the hashing password = $2y$09$test$5i9x8hwha4uhi5tmu.axfdwvzaddce.ld6hckrk3zsqjen7e
this login code hash:
function cryptpass($input, $rounds = 9) { $salt = ""; $saltchars = array_merge(range('a','z'), range('a','z'), range('0','9')); for($i = 0; $i<22; $i++) { $salt .=$saltchars[array_rand($saltchars)]; } return crypt($input, sprintf('$2y$%02d$test$', $rounds) . $salt); } $hashedpass = cryptpass($pass); echo $hashedpass;
the hashing password = $2y$09$test$4zggcixdkzgqvuzwu.axfdwvzaddce.ld6hckrk3zsqjen7e
upon registration create unique salt. salt part of hash. if closely, you'll see it's embedded in first part of hash. check password, use previous hashed password's salt, you're using same salt again.
$correctpasswordhash = getpasswordfromdatabase($_post['username']); $hash = crypt($_post['password'], $correctpasswordhash); if ($correctpasswordhash === $hash) ...
to make easier , more foolproof, use password_compat library, wraps in easy use api, integrated future version of php. inspect source code correct usage of crypt
, since there pitfalls need take care of. password_compat library using custom binary comparison instead of simple ===
thwart timing attacks.
Comments
Post a Comment