0

I use sha512.js file and for security purpose I send my password as a hash value with post request. Now I want to check with the saves hash password in the database. When I check my browser It can be seen password as a hash value. Then in my php file I get the password value with post request. then I want to check it with database saved value.

my post request password value like - 7d4ad2ce44e568064beb480525a563daf85c676795f4083b7e177553af273ffecff41c2bbbe64428d9c0ca37744bcea4de218d356037337bcd41129bb1681b13

$email = $_POST['email'];
$passwordFromPost = $_POST['p'];

// $passwordFromPost = '7d4ad2ce44e568064beb480525a563daf85c676795f4083b7e177553af273ffecff41c2bbbe64428d9c0ca37744bcea4de218d356037337bcd41129bb1681b13';

my database password is -: 

$hashedPasswordFromDB = '$2y$11$2Nmsc11WWGZ1xEB8P3zWCezVv4QCe48BVQ8vJbXOkByUXIioWH.AS'

if (password_verify($passwordFromPost, $hashedPasswordFromDB)) {
    echo 'Password is valid!';
} else {

how check post request hash value with db hash value.

user2552863
  • 483
  • 3
  • 10
  • 18
  • 1
    Is there any particular reason why you're hashing the password in the browser before sending it to the webserver? If you were using https (as you should be), then you wouldn't need to do so – Mark Baker Dec 07 '17 at 10:43
  • Do you send the same hash through the registration screen when you create the user record? – Mark Baker Dec 07 '17 at 10:44
  • I send password value and saved in the db its hash value. then password line vancab12390909 and hashvalue will be in the db like $2y$11$2Nmsc11WWGZ1xEB8P3zWCezVv4QCe48BVQ8vJbXOkByUXIioWH.AS – user2552863 Dec 07 '17 at 10:49
  • I used this function $hash = password_hash($passwordFromPost, PASSWORD_BCRYPT, $options); – user2552863 Dec 07 '17 at 10:50
  • save above generated hash value in the db and check in the browser sending in the password input field value like vancab12390909 – user2552863 Dec 07 '17 at 10:52
  • That's pretty useless..... so you're hashing the actual password to save in the db, but using sha512.js and trying to verify that hash value against the hash in the db rather than the entered password against the hash in the db.... stop using sha512.js and send the actual password to the server for your login – Mark Baker Dec 07 '17 at 10:54
  • I generate encrypted hash value when user login with sha512.js and forms.js. the problem I think that the hash value generated from them is different from the password_hash($passwordFromPost, PASSWORD_BCRYPT, $options) – user2552863 Dec 07 '17 at 10:56
  • Just stop using that sha512.js..... you should not need it, but if you absolutely must use it, then you need to use it for both the registration and for the login – Mark Baker Dec 07 '17 at 10:58
  • Don't try to make the two match. If you hash the password on the client side, then the hash itself becomes the password and you achieve nothing. Just send it in plain-text from the client and leave TLS/SSL to do its job. – Narf Dec 07 '17 at 10:58
  • I used this method that any person can be view password as a plain text with the browser so I want to prevent that and send it is also like encrypted one like yahoo does. – user2552863 Dec 07 '17 at 10:58
  • It works when I send password without encrypting. But I tried to do that sending as encrypted one . my browser security knowledge is not much I appreciate your comments I got them. – user2552863 Dec 07 '17 at 11:03
  • 1
    Rather than using sha512.js, you should be using https pages (rather than http) with a security certificate.... that's how every major website maintains security between the browser and the server – Mark Baker Dec 07 '17 at 11:15
  • SSL also in the system. I got the idea. – user2552863 Dec 07 '17 at 11:23
  • zaph's answer is correct – Scott Arciszewski Dec 20 '17 at 15:04

1 Answers1

2

Do not hash the password in the client, send it in plain text in POST data using HTTPS. Sending a hash of the password just makes the hash the password.

With PHP use password_hash and password_verify, the pair are secure and easy to use.

More info: When saving a password verifier just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead use a function such as PBKDF2, Rfc2898DeriveBytes, Argon2, password_hash, Bcrypt or similar functions with about a 100ms duration. The point is to make the attacker spend substantial of time finding passwords by brute force.

zaph
  • 111,848
  • 21
  • 189
  • 228