Passwords::hash() without salt gives different hash on every call

petr.pavel

It makes sense, so I'm in fact not puzzled about that. What I am perplexed about though, is that sandbox file \Nette-2.2.3\sandbox\app\model\UserManager.php calls Passwords::hash() without salt, expecting it to return the same result every time. And of course, it does not, so authentication doesn't work.

What am I missing people?

Windows 7, PHP Version 5.3.13

norbe

If you call Passwords::hash without salt, salt is generated automatically. For comparsion, you need to use Password::verify(‘password’, $hashedPassword)

jiri.pudil

To add some clarification if @petr.pavel meant this line in particular: it generates a new hash for $password (which is in plain-text at that moment) in case the old hash is outdated (e.g. after you've increased the cost factor).

petr.pavel

Actually, I have to apologize.

When modifying the sandbox authenticator to use Doctrine, I mistakenly used both username and password hash to look up the user entity. So I wasn't using Passwords::verify() at all.

I was comparing a newly generated hash with an old hash which couldn't work without fixing the salt. I just wasn't thinking clearly when writing the user look-up method.

Sorry guys for wasting your time.

mcmatak

hi, sorry i am not sure what is worse, if my english or my knowledges, can somebody explain me how the passwords works?

if i dont give the Passwords::hash function the salt then the salt is randomly generated, so every time i generate the password, so the new different hash will be generated

so how can i verify this hash? with use of function Passwords::verify? but this function trim the salt from hash and verify without it and also salt is part of hash and i can see it, is it ok? why to use the salt at all?

i can find salt in every hash??

Filip Procházka

The salt is generated randomly and then it becomes part of the password. On verify, the hashing algoritm can read the salt and verify the password. Having different hash every time for the same password is an advantage.

Šaman

It's a point. Two users with same password get different hashes. At PHP 5.5 use function password_verify, at lower php version use Nette functions, it is compatible.

P.S. A když angličtina není tvoje silná stránka, proč se nezeptáš česky? :)

Filip Procházka

You're right, but I don't see a reason to use password_verify even in 5.5 :)

Jan Tvrdík

I do, password_verify is slightly faster and immune to timing attack.

Filip Procházka

Good point. However, there could be a direct fallback inside the Password class for the verification.

Last edited by Filip Procházka (2014-12-12 10:54)

David Grudl

Why is it faster?

Jan Tvrdík

Because it's written in C. Does not matter. Completely irrelevant for practical purposes. Nothing to worry about.

Last edited by Jan Tvrdík (2014-12-12 13:22)