Solved

Does password_verify automatically detect the salt?

Posted on 2016-10-06
5
55 Views
Last Modified: 2016-11-07
As I understand password verify a salt is encrypted and added to the database, then it is added to the password so that a different hash is generated.

Does password_verify automatically generate a salt in conjunction with password_hash?

How is the salt consistent (so that the correct salt is used when the password is verified) but different (so that it doesn't defeat the purpose of a salt)?
0
Comment
Question by:burnedfaceless
5 Comments
 
LVL 14

Assisted Solution

by:Schnell Solutions
Schnell Solutions earned 125 total points
ID: 41833044
In a very simple summarization (not including complex details):

Normal password store without salt: The plain password is taken from the user input and this is used as the key to run a encryption algorithm (specifically a hash function) that will return as the result a one-way hash, which is going to be stored as the password hash. The problem is that at this point, if you look at all the hashes in the DB, if you detect that two of them are the same, it means that you have two different users using the same password (or a different password that produces a collision).

Password store with salt: A salt (random / pseudorandom number) is generated, (i.e. from system clock, cursor movement) at that 'salt' (that is going to be used just for one user) is taken in order to modify the encryption algorithm. It means that at this point we are not using a 100% standardized encryption algorithm, we are using a new version of the algorithm that has been modified by the SALT. Then this new algorithm takes the plain password from the user input and generates a password hash, which is going to be stored together with the 'salt' that was used to modify the encryption algorithm. At this point, even different users using the same password are going to appear with different hashes stored.

From a validation perspective, the 'salt' is read from the DB to recreate the modified encryption algorithm, then the algorithm is used inserting in it as input the plain password that is desired to verify, and if it matches the stored hash it means that the password is correct.

So, now answering the questions...

Does password verify automatically generate a salt in conjunction with password hash? Password verification uses the previously stored 'salt' to build the special modified encryption algorithm... we can say that the salt is not something secret at all, what continues been secret is the plain password used as input in the encryption algorithm.

How is the salt consistent? The salt will vary and a different salt will be created for each password stored in the DB. i.e. different users will use different 'salt' codes. But the salts are stored next to the password hash. Both informations are used in order to validate a password (the 'salt' to modify the encryption algorithm, like making an unique one, and the stored hash to validate the result of the password that is been authenticated).
1
 
LVL 52

Assisted Solution

by:Julian Hansen
Julian Hansen earned 125 total points
ID: 41833157
Does password_verify automatically generate a salt in conjunction with password_hash?
From the docs for password_verify()
Verifies that the given hash matches the given password.

Note that password_hash() returns the algorithm, cost and salt as part of the returned hash. Therefore, all information that's needed to verify the hash is included in it. This allows the verify function to verify the hash without needing separate storage for the salt or algorithm information.

From the docs for password_hash()
Supported Options:

    salt - to manually provide a salt to use when hashing the password. Note that this will override and prevent a salt from being automatically generated.

If omitted, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation.

Answer:
password_verify() does not generate anything - it verifies a hash created by password_hash() which does include a salt unless you specifically tell it not to.
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 41833645
Yes, password_verify() automatically handles the salt and the encryption algorithm.  You want to use the PASSWORD_DEFAULT algorithm.  A careful reading of the online man pages will explain why.  The PASSWORD_DEFAULT algorithm may change in the future, and your code will generally be future-proof if you use PASSWORD_DEFAULT.

Direct string comparisons of two outputs from identical password_hash() do not work correctly.  The salt is not consistent, but it is returned as part of the output from password_hash().  To verify, you need to use password_verify() and test for True or False.

Here's my teaching example showing the way it works.  If you run it, you will see that subsequent calls to the hashing algorithm may generate different hash values from identical passwords.
https://iconoun.com/demo/password_hashing.php
<?php // demo/password_hashing.php
/**
 * Show how to hash and verify a password with binary-safe transport over the internet
 *
 * Store the result in a database column that can expand to 255 characters
 *
 * http://php.net/manual/en/book.password.php
 * http://php.net/manual/en/function.password-hash.php
 * http://php.net/manual/en/function.password-verify.php
 */
error_reporting(E_ALL);

/**
 * The Interface defines the two main activities
 */
Interface Hash_Interface
{
    public function hash($pass);
    public function verify($pass, $hash);
}

class Concrete_Hash Implements Hash_Interface
{
    public function hash($pass, $algo=PASSWORD_DEFAULT)
    {
        // DECLOP WHITESPACE BEFORE HASHING
        $text = trim($pass);

        // HASH THE PASSWORD TEXT
        $data = password_hash($pass, $algo);

        // MAKE IT base64() STRING SAFE FOR STORAGE AND TRANSMISSION
        return base64_encode($data);
    }

    public function verify($pass, $hash)
    {
        // DECODE THE base64() STRING INTO THE HASH
        $hash = base64_decode($hash);

        return password_verify($pass, $hash);
    }
}


// INSTANTIATE A HASHING OBJECT FROM THE CLASS
$h = new Concrete_Hash();

// INITIALIZE VARS FOR LATER USE IN THE HTML FORM
$pass = $hash = NULL;

// IF ANYTHING WAS POSTED SHOW THE DATA
if (!empty($_POST["pass"]))
{
    $pass = $_POST['pass'];
    $hash = $h->hash($_POST["pass"]);
    echo "<br/>PASSWORD <b>$pass</b> YIELDS HASH ";
    echo "<i>$hash</i>";
}

if (!empty($_POST["hash"]))
{
    $result = $h->verify($_POST["pass"], $_POST['hash']);
    if  ($result) echo "<br/>PASSWORD <b>{$_POST["pass"]}</b>       PASSES        VERIFICATION WITH HASH <i>{$_POST['hash']}</i> ";
    if (!$result) echo "<br/>PASSWORD <b>{$_POST["pass"]}</b> <b><i>FAILS</i></b> VERIFICATION WITH HASH <i>{$_POST['hash']}</i> ";
}


// CREATE THE FORM USING HEREDOC NOTATION
$form = <<<FORM

<style type="text/css">
.txt {
    width:60em;
}
</style>

<form method="post">
<br><br>
<input class="txt" name="pass" value="$pass" />
<input type="submit" value="HASH THIS PASSWORD" />
<br><br>
<input class="txt" name="hash" value="$hash" />
<input type="submit" value="VERIFY $pass WITH THIS HASH" />
</form>
FORM;

echo $form;

Open in new window

0
 

Author Closing Comment

by:burnedfaceless
ID: 41835080
Good stuff, PHP makes this really easy.
1
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 41877702
1

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Generating table dynamically is the most common issue faced by php developers.... So it seems there is a need of an article that explains the basic concept of generating tables dynamically. It just requires a basic knowledge of html and little maths…
Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
The viewer will learn how to count occurrences of each item in an array.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now