0

Possible Duplicate:
How do you use bcrypt for hashing passwords in PHP?

I am researching the best and safest methods of encrypting and storing user passwords in a database for logins. One article I came across, Salted Password Hashing - Doing it Right, provides a fairly complicated-looking set of functions for encrypting and checking passwords.

I understand how the code works, but the article also mentions storing not only the hashed password in the database, but the salt as well. How would I go about doing that, using the given code? For example:

// User registers with username and password; assume they're already validataed
$hash = create_hash($password_entered);
$password_hash = $hash[HASH_PBKDF2_INDEX];
$salt = $hash[HASH_SALT_INDEX];

$PDO = new PDO('mysql:host=localhost;dbname=myDatabase', $username, $password);
$statement = $PDO->prepare('INSERT INTO users (username, password, user_salt)
    VALUES (:username, :password; :user_salt)');
$statement->execute(array(
    ':username'  => $username_entered,
    ':password'  => $password_hash,
    ':user_salt' => $salt,
));

That seems right... however, when verifying a login, I'm not sure what to check against the entered password from the login form. The compiled hash returned by create_hash() gives a colon-delimited list of values. I'm just not sure where to go from here, or if this source code is even worth using.

Community
  • 1
  • 1
TerranRich
  • 1,263
  • 3
  • 20
  • 38
  • 3
    If you are looking for the safest way. Don't do it yourself. Either wait till PHP 5.5 for the native password API or use [the compat lib](https://github.com/ircmaxell/password_compat) in the meantime. – PeeHaa Dec 19 '12 at 21:29
  • 2
    Aren't you supposed to use the `validate_password` function from the article? And as you wrote, `create_hash` returns a string which already contains everything needed to recreate it (algorithm, iterations, hash and salt), so you only need to store that concatenated string. – vgru Dec 19 '12 at 21:30
  • 2
    Looks like the `create_hash` function embeds the salt right with the hash (a common practice) so no need to store the salt separately on the user record. – Eric Petroelje Dec 19 '12 at 21:31
  • How is this an exact duplicate of a question regarding `bcrypt`, which I've never HEARD of? What the hell kind of moderation is this, seriously? My question is regarding a completely different library of code than that other question. Whatever. – TerranRich Dec 20 '12 at 02:21

2 Answers2

1

I haven't used this code but I'm pretty sure you should not save user_salt separately in a column of your user table. User salt will be included in the hash (location 3 in a colon delimited hash). In your login script, get the password user has entered, and call the following function:

// here run a query and get the hashed password from the users table and put the
// hashed value in $hashed_password_from_database
// $user_enetered_password usually comes from $_POST

if (validate_password($user_entered_password, $hashed_password_from_database)) {
  // login successful
} else {
  // login failed
}
Bee
  • 2,472
  • 20
  • 26
  • Ohh, I get it! When it mentions storing the salt in the database, it means the whole comma-delimited value that `create_hash()` generates. I get it now. Thanks! – TerranRich Dec 19 '12 at 21:59
1

To verify the login, use the following function, found on the link you posted, with $password being the password entered by the user attempting to log in, and $good_hash being PBKDF2_HASH_ALGORITHM . ":" . PBKDF2_ITERATIONS . ":" . $salt_from_db . ":" . $hash_from_db

function validate_password($password, $good_hash)
{
    $params = explode(":", $good_hash);
    if(count($params) < HASH_SECTIONS)
       return false;
    $pbkdf2 = base64_decode($params[HASH_PBKDF2_INDEX]);
    return slow_equals(
        $pbkdf2,
        pbkdf2(
            $params[HASH_ALGORITHM_INDEX],
            $password,
            $params[HASH_SALT_INDEX],
            (int)$params[HASH_ITERATION_INDEX],
            strlen($pbkdf2),
            true
        )
    );
}
tom
  • 18,953
  • 4
  • 35
  • 35