Page 1 of 1

Password hashing is not working properly!

Posted: Wed Dec 22, 2010 8:42 am
by Luisinho
Hello there,

What I'm actually trying to do is to hash a password using 'sha1', which I have already done. However, every value I submit as the password, the encryption result is the same for anything I type in, which is in this case is the following:

Code: Select all

da39a3ee5e6b4b0d3255bfef95601890afd80709
Just to clarify, I am using MySQL.

I have been trying to fix this issue for the past hours. Yet, I still couldn't find an answer. Please, take a quick look at my coding below:

Code: Select all

<?php
	$user_first_name = $_POST['user_first_name'];
	$user_last_name = $_POST['user_last_name'];
	$user_email = $_POST['user_email'];
	$user_password = $_POST['user_password'];
	$user_hashed_password = sha1($user_password);
?>

<?php
	$query = "INSERT INTO users (
				user_first_name, user_last_name, user_email, user_hashed_password
			) VALUES (
				'{$user_first_name}', '{$user_last_name}', '{$user_email}', '{$user_hashed_password}'
			)";
	
	if (mysql_query($query, $connection)) {
		// Success
		$message = "The user was succesfully created!";
		header ("Location: index.php");
		exit;
	} else {
		// Error
		$message = "The user could not be created!";
		echo "<br />" . mysql_error();
	}
?>
Thank you,
Luis

Re: Password hashing is not encrypting properly!

Posted: Wed Dec 22, 2010 9:40 am
by pickle
Try outputting $_POST['user_password'] in plain text - just to see if it's changing as you expect.

As a sidenote, "hashing" is not the same as "encrypting". Hashing is designed to be one way - obscuring a value. Encrypting is also obscuring a value, but intended to be unobscured by a reverse process.

This doesn't help provide you with an answer - merely an FYI about terminology.

Re: Password hashing is not encrypting properly!

Posted: Wed Dec 22, 2010 9:51 am
by Apollo
The checksum you mentioned is the sha1-hash of an empty string. So most likely $_POST['user_password'] does not contain what you expect.
pickle wrote:As a sidenote, "hashing" is not the same as "encrypting". Hashing is designed to be one way - obscuring a value. Encrypting is also obscuring a value, but intended to be unobscured by a reverse process.
And in addition to that, for TS: you'll typically want to store password hashes, not encrypted passwords (you only want to make sure a user entered the correct password, you never want to retrieve the actual password itself, which would be a security risk).

Re: Password hashing is not encrypting properly!

Posted: Wed Dec 22, 2010 1:15 pm
by Luisinho
pickle wrote:Try outputting $_POST['user_password'] in plain text - just to see if it's changing as you expect.
I just tried outputting plain text as you said, but I'm still getting the same result.
Apollo wrote:The checksum you mentioned is the sha1-hash of an empty string. So most likely $_POST['user_password'] does not contain what you expect.
So that means I'm not getting anything in my output at all. Strange, I'll take another look in my code and see if I am able to find anything odd in it.
pickle wrote:As a sidenote, "hashing" is not the same as "encrypting". Hashing is designed to be one way - obscuring a value. Encrypting is also obscuring a value, but intended to be unobscured by a reverse process.
Apollo wrote:And in addition to that, for TS: you'll typically want to store password hashes, not encrypted passwords (you only want to make sure a user entered the correct password, you never want to retrieve the actual password itself, which would be a security risk).
As to that, I'll make sure I don't get confused again.

Thanks guys, I really appreciate your help.

Re: Password hashing is not encrypting properly!

Posted: Wed Dec 22, 2010 1:35 pm
by requinix
Luisinho wrote:I just tried outputting plain text as you said, but I'm still getting the same result.
Yeah... Simply outputting the password isn't going to fix anything. You're supposed to look at the output and use it to reason out what and where the problem is. For example, if you get no output then it means the password is empty and you'll end up with the exact hash that you do, in fact, end up with.
Luisinho wrote:So that means I'm not getting anything in my output at all. Strange, I'll take another look in my code and see if I am able to find anything odd in it.
Either the form has method=get or the password input is not called "user_password".

Re: Password hashing is not encrypting properly!

Posted: Wed Dec 22, 2010 3:21 pm
by Luisinho
Problem resolved! It was the field name that was causing this, just like you suggested. All because of a stupid spelling mistake I did.

Anyway, thank you a lot guys!