PHP password_verify

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Pazuzu156
Forum Contributor
Posts: 241
Joined: Sat Nov 20, 2010 9:00 pm
Location: GA, USA
Contact:

PHP password_verify

Post by Pazuzu156 »

This is my first question here is quite some time, but we all run into stumps sometimes, lol.

My question here is, is there a way to use password_verify to verify a hashed password.

Like:

Code: Select all

<?php
    password_verify($hashedPW, $hashedPWFromDB);
?>
I wonder this because when the verify function is being called, the password has already been hashed. This is to keep the desktop application from sending an unhashed password, so it hashes it before sending it off.
- Kaleb Klein
------------------------------------
Web Developer | Software Developer
https://kalebklein.com
PGP Key: https://keybase.io/pazuzu156
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: PHP password_verify

Post by Celauran »

Pazuzu156 wrote:is there a way to use password_verify to verify a hashed password
That's the whole point of password_verify
Pazuzu156 wrote:

Code: Select all

<?php
    password_verify($hashedPW, $hashedPWFromDB);
?>
I wonder this because when the verify function is being called, the password has already been hashed.
No, you need to compare the password against the hash. If you were comparing hashed passwords, it would be a simple string compare.
User avatar
Pazuzu156
Forum Contributor
Posts: 241
Joined: Sat Nov 20, 2010 9:00 pm
Location: GA, USA
Contact:

Re: PHP password_verify

Post by Pazuzu156 »

Celauran wrote: No, you need to compare the password against the hash. If you were comparing hashed passwords, it would be a simple string compare.
True, however, notice when you hash the same password, the hashes always come out different. I'm also using the BCrypt hash
- Kaleb Klein
------------------------------------
Web Developer | Software Developer
https://kalebklein.com
PGP Key: https://keybase.io/pazuzu156
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: PHP password_verify

Post by Celauran »

That's why you need to compare the password with the hash, and not two hashes of the same password.
User avatar
Pazuzu156
Forum Contributor
Posts: 241
Joined: Sat Nov 20, 2010 9:00 pm
Location: GA, USA
Contact:

Re: PHP password_verify

Post by Pazuzu156 »

Well the issue was I was sending the hashed password to the server to compare. Then I thought of just retrieving it from the server. However, I find this to be quite insecure.
- Kaleb Klein
------------------------------------
Web Developer | Software Developer
https://kalebklein.com
PGP Key: https://keybase.io/pazuzu156
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: PHP password_verify

Post by Celauran »

How were you planning on comparing it, then? Pull down the hash and try to find a JS-based solution? Surely that would be much worse.
User avatar
Pazuzu156
Forum Contributor
Posts: 241
Joined: Sat Nov 20, 2010 9:00 pm
Location: GA, USA
Contact:

Re: PHP password_verify

Post by Pazuzu156 »

Lol, the application is a desktop application, there's no JS involved. No, I leave JS to front end web design.

It's not going to be a real-life solution app, so I'm not too awful worried about security. However, it wasn't working, and I sorta solved it on my own. Just my second option. However, I also decided for an auth token based system too.

That way passwords aren't thrown around. :p
- Kaleb Klein
------------------------------------
Web Developer | Software Developer
https://kalebklein.com
PGP Key: https://keybase.io/pazuzu156
Post Reply