0

So I have the password check for an old website defined as:

if($i['password'] == hash('PASSWORD_BCRYPT',$p.$i['salt']) || sha1($p) == $i['password']) {

and it uses the following to select data from the database. 

$u = $mysqli->real_escape_string($_REQUEST['username']);
$p = $_REQUEST['password'];
$s = $mysqli->query("SELECT * FROM `accounts` WHERE `name`='".$u."'") or die();
$i = $s->fetch_assoc();

I understand Sha1 was never meant to be used for password encryption, rather in order to obtain a faster processing speed, so I want to migrate over to BCrypt. Despite countless attempts, I can't seem to get it to work. (sorry still learning php) This is what I got so far:

$options = [ 'cost' => 12];
if($i['password'] == password_hash($p.$i['salt'], PASSWORD_BCRYPT, $options) || password_hash($p, PASSWORD_BCRYPT, $options) == $i['password']){

My login script doesn't allow the login to proceed so the passwords defined, given and retrieved, aren't matching. I know bcrypt is stored properly as my java application, defined by BCrypt.hashpw(pass, BCrypt.gensalt(12)); can read and write properly. So why can't the website?

Vincent
  • 99
  • 5
  • It's generally a good practice to get rid of any short-circuiting logic (such as the || operator, and `==` string comparison) when authenticating users to prevent timing attacks. Probably not terribly significant here, but definitely a good practice to maintain. – CollinD Jun 26 '18 at 19:07
  • Pull the hash out of the DB and then use [password_verify](http://php.net/manual/en/function.password-verify.php). See the duplicate for an example – Machavity Jun 26 '18 at 19:09
  • 1
    `password_hash()` generates its own secure salt, appending your own is unnecessary. – Sammitch Jun 26 '18 at 19:39
  • I replied down under what I think it may be? I might be wrong. Sorry! – Vincent Jun 26 '18 at 22:34

1 Answers1

0

You should use password_verify function to verifiy password hash

mscho
  • 860
  • 7
  • 16
  • So like this: if(password_verify($i['password'], $p))? I believe $i['password'] is user entered if I am not wrong and $p draws from database. This actually didn't work, so I am not entirely sure where it messed up – Vincent Jun 26 '18 at 22:33