Bcrypt check password in codeigniter

Question

I have a problem when decrypting passwords hashed with bcrypt. I can't login when I use this code. So, are there any mistakes?

function login(){

    if ($this->session->userdata('username')) 
    {   
        redirect('dasbor');
    }

    //fungsi login
    $valid = $this->form_validation;
    $username = $this->input->post("username");
    $password = $this->input->post("password");

    $hash = $this->db->get('users')->row('password');

    $hashp = $this->bcrypt->check_password($password,$hash);


        $valid->set_rules("username","Username","required");
        $valid->set_rules("password","Password","required");

    if ($hashp) {
        if($valid->run()) {
        $this->simple_login->login($username,$hashp, base_url("dasbor"), base_url("Auth/login"));
        }
    }
    // End fungsi login

    $data = array('title'=>'Halaman Login Admin');
    $this->load->view('admin/login_view',$data);
}

please help me to solve this problem.

1. There's no 'bcrypt' library in CodeIgniter. 2. You're fetching ALL users' passwords and thus always checking only the first row in the resultset, whichever that is. — Narf, Nov 30 '16 at 14:39
so, any solution to solve this? so my login functional can work — kusiaga, Nov 30 '16 at 15:10

score 3 · Accepted Answer · answered Jun 30 '19 at 05:45

I know this is an old question, but I want to help others who face the same problem.

First thing first, you need to rework again on your algorithm. The password_verify() function needs 2 parameters:

Password, the text that the user input in the text field before submitting the form.
Hash, a hash that is already stored in your database.

The goal is to verify if Password and Hash are similar. As you know, the password_hash() will return a different result at different times even when you hash the same string. Because of that, you can not use this->db->where() active record.

So, what I would do are these simple 2 steps:

Create a function in the model (e.g. Main_model.php) for getting user data.

public function get_user($user) {
        $this->db->where('username', $user);

        return $this->db->get('user')->row_array();
    }

Get the password from the controller and use password_verify

$get_user = $this->main_model->get_user($this->input->post('username'));

if(password_verify($this->input->post('password'), $get_user['password'])){
// Success
}
else {
// Not Success
}

And one additional tip from me, don't write any active record in the Controller. It is not neat for the MVC method.

Q: Why not just hash the code with mysql functions [password()](https://www.w3resource.com/mysql/encryption-and-compression-functions/password().php), [md5()](https://www.w3resource.com/mysql/encryption-and-compression-functions/md5().php), store the hashed value when the password is created, then use the same function at user login? Why deal with bcrypt at all? — paulsm4, Jun 30 '19 at 05:52
@paulsm4 that might be personal preferences. But for me, I would never use Mysql function to generate hashed passwords. Also, there are plenty of reasons why Bcrypt is safer than md5, even the salted ones. [How is Bcrypt better than md5 + salt?](https://stackoverflow.com/questions/34813483/how-is-bcrypt-better-than-md5-salt) — Anthony, Jun 30 '19 at 06:04
@paulsm4 Because fast, *unsalted* hashes are not secure enough for password storage, as they are more or less easily prone to brute-force attacks. — deceze, Jun 30 '19 at 06:04

Bcrypt check password in codeigniter

1 Answers1