1

I am basing my bcrypt creating off of this site I have made some changes to it though so this is my version of the code : My version of bcrypt

I have started working on my login form and I have come the general understanding that to check a users credentials you must :

  1. recreate the bcrypt

  2. compare what the $_POST['password'] that is being submitted to the password you have stored in the database.

  3. return a row count so if a row is returned where the password that you recreated matches the already stored password then the row count must == 1

What I am confused about :

  1. How do I let the checklogin form know what the bcrypt function was to begin with? do I have to include the register script? - or do I have to copy and paste the bcrypt function?

I have tried to implement this on my user authentication and for some reason it is not working for me.

This is my code hopfully some one sees a problem that i dont.

Any help would be greatly appreciated

Improve this question
6
  • idk what the reason you are not checking that $_POST['username']; and $_POST['password'] set before use i think you have turn off the error or you are excepting user always enter both .. and if not .. showing the error message undefined index :bla on line bla is good.. Commented Dec 29, 2012 at 15:10
  • 6
    Related Blog Post: Seven Ways To Screw Up A BCrypt Implementation Commented Dec 29, 2012 at 15:11
  • Btw, did you check the password column size? It should be >= 60. Also, your salt is way way too long, only 22 characters are used. Commented Dec 29, 2012 at 15:13
  • you need to validate post data .. that required are set otherwise get ready for ...annoying error Commented Dec 29, 2012 at 15:15
  • 2
    Rage, I suggest you to have a look at the password_hash and password_verify functions. It it implemented for PHP5.5 and has a compat library for older version. The API cannot get simpler than that. php.net/password github.com/ircmaxell/password_compat It has been verified on security.stackexchange.com/q/16506/2630 Commented Dec 29, 2012 at 15:31

1 Answer 1

Reset to default
2

What your code is trying to do is similar to how the old md5() unsalted hashes were looked up; php calculates the hash and then the database lookup is done based on that hash value and the user name.

Because your code is using a different salt each time when it needs to verify a given password, the lookup in the database would practically never work.

With bcrypt it works like this:

  1. Fetch the database record based on the user name.

  2. Use the stored password hash in there to compare against the posted password:

    if (crypt($form_password, $db_hash) === $db_hash) { ... }

Tips

Generating a salt for bcrypt can be much easier (you don't need 10k characters):

rtrim(strtr(base64_encode(openssl_random_pseudo_bytes(16)), '+', '.'), '=');

Also, the cost parameter of 17 is really big ... unless you're running serious hardware, you're going to bring down the site when someone tries to brute force a password.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Correct me if I'm wrong but doesn't bcrypt also "know" how to verify the passwords? I've been readying that it comes with its own verification built in so that it can check between user inputted password and stored password.
$2y$17$MmwkCiSpnLww7.FpHIpaZuy/N1mu2KqtxjKY0D9Ars0U2QVPkYRH6 $2y$17$2MIB9MP211u4BArMXHfQleAUnbFt1u5LcFHIio5/JTrG2jBEEFHhm
also thats how my passwords look in and yes I have lowered the varchar to less then 60 thank you for the tip
@RaGe10940 Not less than 60. At least 60! - regarding password verification, I've already covered that in my answer.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.