Page 1 of 1
PHP password_verify
Posted: Mon Aug 24, 2015 7:35 pm
by Pazuzu156
This is my first question here is quite some time, but we all run into stumps sometimes, lol.
My question here is, is there a way to use password_verify to verify a hashed password.
Like:
Code: Select all
<?php
password_verify($hashedPW, $hashedPWFromDB);
?>
I wonder this because when the verify function is being called, the password has already been hashed. This is to keep the desktop application from sending an unhashed password, so it hashes it before sending it off.
Re: PHP password_verify
Posted: Mon Aug 24, 2015 7:40 pm
by Celauran
Pazuzu156 wrote:is there a way to use password_verify to verify a hashed password
That's the whole point of password_verify
Pazuzu156 wrote:
Code: Select all
<?php
password_verify($hashedPW, $hashedPWFromDB);
?>
I wonder this because when the verify function is being called, the password has already been hashed.
No, you need to compare the password against the hash. If you were comparing hashed passwords, it would be a simple string compare.
Re: PHP password_verify
Posted: Mon Aug 24, 2015 7:56 pm
by Pazuzu156
Celauran wrote:
No, you need to compare the password against the hash. If you were comparing hashed passwords, it would be a simple string compare.
True, however, notice when you hash the same password, the hashes always come out different. I'm also using the BCrypt hash
Re: PHP password_verify
Posted: Mon Aug 24, 2015 7:59 pm
by Celauran
That's why you need to compare the password with the hash, and not two hashes of the same password.
Re: PHP password_verify
Posted: Mon Aug 24, 2015 8:17 pm
by Pazuzu156
Well the issue was I was sending the hashed password to the server to compare. Then I thought of just retrieving it from the server. However, I find this to be quite insecure.
Re: PHP password_verify
Posted: Mon Aug 24, 2015 8:20 pm
by Celauran
How were you planning on comparing it, then? Pull down the hash and try to find a JS-based solution? Surely that would be much worse.
Re: PHP password_verify
Posted: Mon Aug 24, 2015 8:28 pm
by Pazuzu156
Lol, the application is a desktop application, there's no JS involved. No, I leave JS to front end web design.
It's not going to be a real-life solution app, so I'm not too awful worried about security. However, it wasn't working, and I sorta solved it on my own. Just my second option. However, I also decided for an auth token based system too.
That way passwords aren't thrown around. :p