Passwords::hash() without salt gives different hash on every call
- petr.pavel
- Member | 535
It makes sense, so I'm in fact not puzzled about that. What I am perplexed
about though, is that sandbox file
\Nette-2.2.3\sandbox\app\model\UserManager.php
calls
Passwords::hash()
without salt, expecting it to return the same
result every time. And of course, it does not, so authentication
doesn't work.
What am I missing people?
Windows 7, PHP Version 5.3.13
- jiri.pudil
- Nette Blogger | 1032
To add some clarification if @petr.pavel meant this
line in particular: it generates a new hash for $password
(which is in plain-text at that moment) in case the old hash is outdated (e.g.
after you've increased the cost factor).
- petr.pavel
- Member | 535
Actually, I have to apologize.
When modifying the sandbox authenticator to use Doctrine, I mistakenly used both username and password hash to look up the user entity. So I wasn't using Passwords::verify() at all.
I was comparing a newly generated hash with an old hash which couldn't work without fixing the salt. I just wasn't thinking clearly when writing the user look-up method.
Sorry guys for wasting your time.
- mcmatak
- Member | 504
hi, sorry i am not sure what is worse, if my english or my knowledges, can somebody explain me how the passwords works?
if i dont give the Passwords::hash function the salt then the salt is randomly generated, so every time i generate the password, so the new different hash will be generated
so how can i verify this hash? with use of function Passwords::verify? but this function trim the salt from hash and verify without it and also salt is part of hash and i can see it, is it ok? why to use the salt at all?
i can find salt in every hash??
- Filip Procházka
- Moderator | 4668
The salt is generated randomly and then it becomes part of the password. On verify, the hashing algoritm can read the salt and verify the password. Having different hash every time for the same password is an advantage.
- Filip Procházka
- Moderator | 4668
You're right, but I don't see a reason to use password_verify
even in 5.5 :)
- Filip Procházka
- Moderator | 4668
Good point. However, there could be a direct fallback inside the Password class for the verification.
Last edited by Filip Procházka (2014-12-12 10:54)
- Jan Tvrdík
- Nette guru | 2595
Because it's written in C. Does not matter. Completely irrelevant for practical purposes. Nothing to worry about.
Last edited by Jan Tvrdík (2014-12-12 13:22)