I'm trying to use PHPass with a new site. I generated a hash like this and stored it in the database:
$hasher = new \Hautelook\Phpass\PasswordHash(8, true);
$password = $hasher->HashPassword('secretpassword');
// I store $password in the DB for the user
On the login page, I get the user and use CheckPassword to see if they are the same:
function authUser($username, $password, $hasher, $db) {
$sql = "SELECT * FROM users WHERE username = :username";
$stmt = $db->prepare($sql);
$stmt->bindValue("username", $username);
$stmt->execute();
$user = $stmt->fetch();
$check = $hasher->CheckPassword($password, $user['password']);
if($check) {
return $user;
} else {
return null;
}
}
$user['password'] does contain the correct hash that I stored, so I know that is correct. $password is the plaintext password passed in from the form. CheckPassword() always returns false, but from all the tutorials I've perused this morning this looks correct and should work. $hasher is created the same way, with 8 for a cost and portable set to true.
I can't figure out why CheckPassword always returns false. Do I need to initialize the hasher for the CheckPassword differently than when I hashed it? Am I missing something simple?
I'm running PHP 5.3.19 on CentOS 6.3, if that makes any difference.
