PHPass refuses to check hashes

Question

include 'lib/php/PasswordHash.php';

$hash = $_GET['hash'];
$pass = $_GET['pass'];

$hasher = new PasswordHash(8, false);
$pass = $hasher->HashPassword($pass);
echo "Original:<br>" . $pass . "<br>";
$checked = $hasher->CheckPassword($pass, $hash);
echo "Hashed:<br>" . $checked . "<br>";
echo "<br>";
echo "Are they equal? <b>"; 
if($pass == $checked){ echo "Yep!</b>";} else{
    echo "Nope. </b>";
}

The incredibly simple piece of code above does not work at all as intended. Yes, the pass variable gets hashed and outputted correctly, but CheckPassword() fails to output anything at all. I have tested just a simple word "hello" and inserted them directly into the function (e.g. CheckPassword('$2...', '$2...'); and it still outputs nothing.

I'm running on XAMPP Windows, and I've just been forced to conclude that must be the problem. I used this code rather than the actual project to remove the database as a factor, and found this issue.

Try to restrain yourselves from vomiting at the uglyness of the code, but it is a desperate attempt to get it to work.

If you are running this code yourself you'll need to place both a 'pass' and and a 'hash' GET variable in the URL to test this. Most likely I've made a terrible mistake somewhere, so I'm not confident at all blaming my environment.

EDIT:

I used the code below to generate the initial variable to use in the URL

    $hash = $_GET['hash'];

$hasher = new PasswordHash(8, false);
$hash = $hasher->HashPassword($pass);

echo $hash;

The edit I made shows how I generated the hash for the word 'hello' and then put that into the URL for the code at the top — Peter Clotworthy, Mar 25 '14 at 03:25

score 2 · Accepted Answer · answered Mar 25 '14 at 03:25

2

You're using CheckPassword incorrectly. The first argument should be plain text; the second a hash, according to the documentation. You are setting $pass to a hashed value, then using it as the first argument in CheckPassword anyway.

Corrected code (untested):

include 'lib/php/PasswordHash.php';

$hash = $_GET['hash'];
$pass = $_GET['pass'];

$hasher = new PasswordHash(8, false);
// Just delete this line: $pass = $hasher->HashPassword($pass);
echo "Original:<br>" . $pass . "<br>";
$checked = $hasher->CheckPassword($pass, $hash);
echo "Hashed:<br>" . $checked . "<br>";
echo "<br>";
echo "Are they equal? <b>"; 
if($pass == $checked){ echo "Yep!</b>";} else{
    echo "Nope. </b>";
}

P.S. I'm not sure why you are trying to get the value of $hash from $_GET. If you let the user specify both the password and the hash, they can fool your application into granting access. I'm assuming this is just a test and that you will use a database or other secure storage in your real app.

answered Mar 25 '14 at 03:25

elixenide

44,308
16
74
100

"I used this code rather than the actual project to remove the database as a factor, and found this issue." But yes, thank you this solved my issue. I was following the tutorial on their website but I must have misread. – Peter Clotworthy Mar 25 '14 at 03:29
Glad to help! Please remember to select an answer! :) – elixenide Mar 25 '14 at 03:31
As soon as I am allowed to do so, I will. (4 min time limit) – Peter Clotworthy Mar 25 '14 at 03:31
Makes alot more sense now as well, because I was sure that hashing was both irreversible and completely different on every hash, so 'comparing' the two seemed pointless. Is the salt embedded in each hash, which is used to generate the comparison? – Peter Clotworthy Mar 25 '14 at 03:34
1

I haven't used this particular library, but it appears to generate [bcrypt-formatted hashes](http://stackoverflow.com/questions/5881169/storing-a-hashed-password-bcrypt-in-a-database-type-length-of-column), which include the salt. From the link in my answer: "Salts are normally stored along with the hashes. They are not secret." – elixenide Mar 25 '14 at 03:38

PHPass refuses to check hashes

1 Answers1