问题与Bcrypt没有正确验证 [英] Issue with Bcrypt not verifying correctly

问题描述

我用一个脚本， ircmaxell 编写的名为的 password_compat 。我想我正确地按照他的指示，但我似乎无法让我的密码验证使用 password_verify（$的密码，$哈希）。

I'm using a script that ircmaxell wrote called password_compat. I thought I followed his instructions correctly, but I cannot seem to get my password verified using password_verify($password, $hash).

保存在我的数据库中的哈希密码是;

The hashed password saved in my database is;

$2y$10$zYpSzIj7kTPv3H7wDI/uXSYqi1se46b38uumP6SM4XGMmsjU3q

我使用PDO抢我哈希密码，并使用 password_verify（$的密码，$哈希）来比较一下登录表单张贴。这是我的理解是BRCYPT不是一个散列函数，所以 password_verify（$的密码，$哈希）会做它的魔力。我不知道如何创建盐，但我认为它为每一个新的密码定制的盐，但它如何把它比作我保存的密码，我大惑不解。它是如何匹配密码正确的盐？不保存盐在我的数据库这整个那种混淆了我，哈哈。这里是code我使用;

I'm using PDO to grab my hashed password and using password_verify($password, $hash) to compare what the login form is posting. It's my understanding that BRCYPT is not a hashing function so password_verify($password, $hash) will do it's magic. I have no idea how the salt is created, but I would think it creates a custom salt for every new password, but how it can compare it to my saved password baffles me. How does it match the correct salt with the password? This whole not saving the salt in my database kind of confuses me, lol. Here is the code I'm using;

bcrypt

if($login->verifyip($_SERVER['REMOTE_ADDR']))
{
    require_once 'password.php'; //password_compat supplied file

    $username   = $_POST['username'];
    $password   = $_POST['password'];
    $dbpassword = $login->GetPassword($username); // pull saved password from db

    // verify posted password with saved password
    if(password_verify($dbpassword, $password))
    {
        echo 'verified';
    }
    else
    {
        echo 'not verified';
    }
}

PDO

public function GetPassword($username)
{
    $passwordSQL = 'CALL get_password(:_user)'; // using stored procedure
    try
    {
        $pdo = new PDO('my login stuff');
        $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        $password = $pdo->prepare($passwordSQL);
        $password->bindParam(':_user',$username);
        $password->execute();
        $fetch = $password->fetchColumn(0);
        $password->closeCursor();
        return $fetch;
    }
    catch(PDOException $e)
    {
         return 'error' . $e->getMessage();
         exit();
    }        
}

像搅拌机

我删除$哈希建议。

感谢在看看：）

推荐答案

password_verify 的参数是周围的其他方式：

password_verify's arguments are the other way around:

password_verify($password, $dbpassword)

至于它是如何工作的，散是这样的形式：

As for how it works, the hash is of this form:

$<algorithm>$<cost>$<salt>/<hash>

因此​​，从哈希：

So from the hash:

$2y$10$zYpSzIj7kTPv3H7wDI/uXSYqi1se46b38uumP6SM4XGMmsjU3q

您可以看到，成本 10 ，盐是 zYpSzIj7kTPv3H7wDI 和 bcrypt（盐+密码）是 uXSYqi1se46b38uumP6SM4XGMmsjU3q 。

You can see that the cost is 10, the salt is zYpSzIj7kTPv3H7wDI and that bcrypt(salt + password) is uXSYqi1se46b38uumP6SM4XGMmsjU3q.

password_verify 从您提供的散列中提取信息，只是检查，如果 bcrypt（盐+密码）==哈希

password_verify extracts that information from your supplied hash and just checks if bcrypt(salt + password) == hash.

这篇关于问题与Bcrypt没有正确验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！