1

I have two methods that I am using. When a user creates an account I call this method to make a secure password hash for them to save into the database:

public function createPassword($password){
    $salt = hash("sha256", time() . uniqid() . rand(1, 1000));
    return crypt($password, $salt);
}

It returns a salt which I then save into the database in the password column.

Next when a user logs into his/her account I select their info from the database and pass it to this function which then is supposed to verify their password.

public function verifyPassword($password, $salt){
    if(crypt($password, $salt) == $salt){
        return true;
    }
    return false;
}

The issue is that I have found a password that if I put the correct password in it works, but if I add extra characters to the end of the password it still works. This shouldn't happen. am I doing something wrong or is this a bug in php?

For security I am not using the real password below

// Create during registration
$salt = $obj->createPassword('abc123');
// Save to database here

then:

// Get row from database save array $row
if($obj->verifyPassword($_POST["passwd"], $row["password"])){
    // Log user in
}

Here are my tests:

abc123          // Works
abc12           // doesn't work
abc12jfjf       // doesn't work
abc123123       // Works
abc123asdfadffa // Works

So, it looks as if as long as the string starts with the real password anything after is fine...

Get Off My Lawn
  • 34,175
  • 38
  • 176
  • 338
  • It is becauase I am using crypt, as the description here: http://php.net/manual/en/faq.passwords.php#faq.passwords.bestpractice says not to use `==` or `===` because it won't work – Get Off My Lawn Jan 18 '15 at 05:02

1 Answers1

2

This may depend on the encryption method you are using. In your example, is the actually password you are using 8 characters?

If so, then any characters past the 8th are truncated.

https://bugs.php.net/bug.php?id=11240

To avoid this behavior, use MD5 encryption.

jaynp
  • 3,275
  • 4
  • 30
  • 43
  • 1
    Yes, I am using an 8 character string. PHP suggests I use `password_hash` and `password_verify` instead. Do you think that will help? – Get Off My Lawn Jan 18 '15 at 05:03
  • I think so since it uses 72 chars and stronger encryption. Good question though, I'm not sure why it was downvoted... – Rafael Jan 18 '15 at 05:05
  • @jpp I don't want to use `MD5` since it isn't a very secure hash method, `password_hash` returns a different hash every time on the same password making it harder to decrypt but thanks for the link! – Get Off My Lawn Jan 18 '15 at 05:12