Jump to content
Karaethon

Is 'password_hash' broken?

Recommended Posts

I copied the code for password_hash at php.net:

	<?php
/**
 * In this case, we want to increase the default cost for BCRYPT to 12.
 * Note that we also switched to BCRYPT, which will always be 60 characters.
 */
$options = [
    'cost' => 12,
];
echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options);
?>
	

and changed it for use in my login page:

 

	$options = ['cost' => 12,];
    $user = mysqli_real_escape_string($db_link,$_GET['username']);
    $pass = password_hash($_GET['password'], PASSWORD_BCRYPT, $options);
	

but my page keeps saying invalid user/pass. Upon echoing the $pass I find that the result changes EACH time. so I created a test page that runs the code from php.net (verbatim code) 20x and I got:

[pre]

 $2y$10$Nlf0J520viR4C5jd3nIdd.6M3OMKACx503Jm3PiXDYZIs.13XAheq
$2y$10$SO1ip3JI.EGjUJb3JYUDSeAUszg6A3UBX9b.ENk2aythAuxQ1apxS
$2y$10$Ub7cQSbFWXhkLrzm3ldGGe8FfgsOjS99vgj9l801yqXgPjvJmVpsm
$2y$10$8fNzz/tmrg8tLdHOk0r7GOh0j1frKN3ujA/qzrFHi/s22jMO/hbri
$2y$10$o.5LnDxkhw/YNxJT16fuIOiQbnhHKs51SqFTqQ3KsflY6nYV.HLLm
$2y$10$zQZiauRe6tuF2rGd1XGcO.E7ekhfP68Sqih8ll9Om7n5c2NO3tPSu
$2y$10$uLZXDAQu14EW8P4CMMICBuvRv0wOEAxghzJV1c9UuNK7yTRJNNdjO
$2y$10$P6Uy4/PDOnE9zv/VxRAWFebKY/qYXj1unIrTvV42xUxe.zXx3ut2W
$2y$10$uHb8qdh3CGe0BkXdyuThHu0vgAH5bxEPYMe0VK410Q7xqcAlC.xuy
$2y$10$xXwbec0Cn0JcMorGgmmRY.qHW.N1pNoYq.2V.IAQHsCDYPXtgQyJ6
$2y$10$w88m.M6BmVVoYYBhM1IAquOIb4NH9n093nQmdzhKm0Fq2ykgcZFZm
$2y$10$IkVTs7.z4rZt5/rkgRQnKeXfINb7VTqXxTDRZB9caR4X0rwKtdhIW
$2y$10$XyjX0X0I.l4Ct9eF4zhhz.S5Cg/Ppqf3veL9ciehjBr/2Rp8usPCm
$2y$10$iJkhIWl95TVlA4hw2nltd./YmyXA2.abqTu8WFs/YuEvJsndosv6W
$2y$10$kwVNtAaKxG8z2m.D0evl..Xx64NWPxbFAIBjCDLBfgiJncgniBB7S
$2y$10$m8ZyiI7HhXutyTZGySit/O3lmAGsIlfRqEcYc7eCV2XS9TS1Sw9/y
$2y$10$uYDilXy1HKT9M6DiPUhAe.3W5teCpkTF4x5UgVYiJctz4HXNMzU9e
$2y$10$0HDD2quyh2AfMeF41PbKTu7PGTPn2fcl42HLxweaIHay9KbPDrEh6
$2y$10$qc0Kt5VtkrslpLlQmvq5a.dboTbf8qEif9KOwYwjoGGh6Q.xoN8JK

[/pre]

Is password_hash broken? or am I mistaken to think that it's supposed to return the same output everytime fror the same input?

Edited by Karaethon
typos corrected

Share this post


Link to post
Share on other sites

password_hash() is used when the hash of a password is saved, i.e. during registration/password changes, and the hash it produces for a given input is different each time since a random salt is generated and used each time it is called. password_verify() is used to test if a submitted password corresponds to a saved hash.

Share this post


Link to post
Share on other sites

Ahhh. ok... so I use _hash when the user registers or edits their password and _verify when they log in? Kinda wish the php documentation said something about that, or at least I didn't catch it if it did.

Share this post


Link to post
Share on other sites

There isn't a tutorial on password hashing, if that's what you mean, but the documentation for password_hash does say it creates passwords, and that the returned value can be used with password_verify() to verify the hash.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.