Question 235375 in PHP Question posted in
Official manual can be found here.

PHP password_verifiy returns true while hash is incorrect

I have the following code with a userpassword contains a blow fish secret and the user password itself.

The hash is another (not the secret and the password!!) but i still got a true as result:

<?php
## password (secret + userpass)
$pass = 'PNvH5GFfUKktXWpydfAMXMYKayjEP3GzfJbaenmzuAHSTv7rQgW8t4ShEKpdcD5nek8eArGQyfz9XRx6ARBc897YVdetest';

## hash
$hash = '$2y$10$9VGEg7HamRVDILsFV5dvJu3l5.Psfk4g6N8.Jcn6/gMhoZIKDLAAm';

## verify
$check = password_verify($pass, $hash);

## check
if(true === $check) {
    
    var_dump($check);
    
} else {
    
    echo "false";
    
}
?>

I have read a lot and think it can be a problem of the length! The algo is limited to 72 chars. For more security, we have a login with a blow fish secret. While hashing, we chain blow fish + userpassword to one big password, then hash it. While login we chain blow fish and userpass again and verify. The result of this is a big password which is hashed in db.

Tags:

2

Answers


  1. 0

    Please use password_hash() for generating the hash for the password then use this hash in password_verify() function.

    <?PHP
 $pass = "secret_password";

 $hash = password_hash($pass, PASSWORD_DEFAULT); //please use this for generating the hash



## verify
$check = password_verify($pass, $hash);

 ## check
if(true === $check) {

   var_dump($check);

 } else {

    echo "false";

 }

?>
    Login or Signup to reply.
  2. 0

    Did you use password_hash with the PASSWORD_BCRYPT option (or with PASSWORD_DEFAULT, since Bcrypt is current the default algorithm)? As per the PHP documentation for password_hash that will indeed truncate the password to 72 characters.

    Example of the issue:

    $pass = 'PNvH5GFfUKktXWpydfAMXMYKayjEP3GzfJbaenmzuAHSTv7rQgW8t4ShEKpdcD5nek8eArGQyfz9XRx6ARBc897YVdetest';
$pass2 = 'PNvH5GFfUKktXWpydfAMXMYKayjEP3GzfJbaenmzuAHSTv7rQgW8t4ShEKpdcD5nek8eArGQ';

$hash = password_hash($pass, PASSWORD_DEFAULT);

echo $hash.PHP_EOL;

var_dump(password_verify($pass2, $hash));

    Live demo: https://3v4l.org/Y2pTX .

    If you want very long passwords, I suggest using a different algorithm which doesn’t have this issue. Either that, or don’t use the extra blowfish salt (which shouldn’t be necessary), or at least reduce its length.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search