Passwords::hash() without salt gives different hash on every call

petr.pavel
Backer | 492
+
0
-

It makes sense, so I'm in fact not puzzled about that. What I am perplexed about though, is that sandbox file \Nette-2.2.3\sandbox\app\model\UserManager.php calls Passwords::hash() without salt, expecting it to return the same result every time. And of course, it does not, so authentication doesn't work.

What am I missing people?

Windows 7, PHP Version 5.3.13

norbe
Backer | 404
+
+1
-

If you call Passwords::hash without salt, salt is generated automatically. For comparsion, you need to use Password::verify(‘password’, $hashedPassword)

Comments

jiri.pudil:

To add some clarification if @petr.pavel meant this line in particular: it generates a new hash for $password (which is in plain-text at that moment) in case the old hash is outdated (e.g. after you've increased the cost factor).

5 years ago
petr.pavel:

Actually, I have to apologize.

When modifying the sandbox authenticator to use Doctrine, I mistakenly used both username and password hash to look up the user entity. So I wasn't using Passwords::verify() at all.

I was comparing a newly generated hash with an old hash which couldn't work without fixing the salt. I just wasn't thinking clearly when writing the user look-up method.

Sorry guys for wasting your time.

5 years ago
mcmatak
Member | 499
+
0
-

hi, sorry i am not sure what is worse, if my english or my knowledges, can somebody explain me how the passwords works?

if i dont give the Passwords::hash function the salt then the salt is randomly generated, so every time i generate the password, so the new different hash will be generated

so how can i verify this hash? with use of function Passwords::verify? but this function trim the salt from hash and verify without it and also salt is part of hash and i can see it, is it ok? why to use the salt at all?

i can find salt in every hash??

Comments

Filip Procházka:

The salt is generated randomly and then it becomes part of the password. On verify, the hashing algoritm can read the salt and verify the password. Having different hash every time for the same password is an advantage.

5 years ago
Šaman:

It's a point. Two users with same password get different hashes. At PHP 5.5 use function password_verify, at lower php version use Nette functions, it is compatible.

P.S. A když angličtina není tvoje silná stránka, proč se nezeptáš česky? :)

5 years ago
Filip Procházka:

You're right, but I don't see a reason to use password_verify even in 5.5 :)

5 years ago
Jan Tvrdík:

I do, password_verify is slightly faster and immune to timing attack.

5 years ago
Filip Procházka:

Good point. However, there could be a direct fallback inside the Password class for the verification.

5 years ago
David Grudl:

Why is it faster?

5 years ago
Jan Tvrdík:

Because it's written in C. Does not matter. Completely irrelevant for practical purposes. Nothing to worry about.

5 years ago