Solved

Does password_verify automatically detect the salt?

Posted on 2016-10-06
5
39 Views
Last Modified: 2016-11-07
As I understand password verify a salt is encrypted and added to the database, then it is added to the password so that a different hash is generated.

Does password_verify automatically generate a salt in conjunction with password_hash?

How is the salt consistent (so that the correct salt is used when the password is verified) but different (so that it doesn't defeat the purpose of a salt)?
0
Comment
Question by:burnedfaceless
5 Comments
 
LVL 14

Assisted Solution

by:Schnell Solutions
Schnell Solutions earned 125 total points
ID: 41833044
In a very simple summarization (not including complex details):

Normal password store without salt: The plain password is taken from the user input and this is used as the key to run a encryption algorithm (specifically a hash function) that will return as the result a one-way hash, which is going to be stored as the password hash. The problem is that at this point, if you look at all the hashes in the DB, if you detect that two of them are the same, it means that you have two different users using the same password (or a different password that produces a collision).

Password store with salt: A salt (random / pseudorandom number) is generated, (i.e. from system clock, cursor movement) at that 'salt' (that is going to be used just for one user) is taken in order to modify the encryption algorithm. It means that at this point we are not using a 100% standardized encryption algorithm, we are using a new version of the algorithm that has been modified by the SALT. Then this new algorithm takes the plain password from the user input and generates a password hash, which is going to be stored together with the 'salt' that was used to modify the encryption algorithm. At this point, even different users using the same password are going to appear with different hashes stored.

From a validation perspective, the 'salt' is read from the DB to recreate the modified encryption algorithm, then the algorithm is used inserting in it as input the plain password that is desired to verify, and if it matches the stored hash it means that the password is correct.

So, now answering the questions...

Does password verify automatically generate a salt in conjunction with password hash? Password verification uses the previously stored 'salt' to build the special modified encryption algorithm... we can say that the salt is not something secret at all, what continues been secret is the plain password used as input in the encryption algorithm.

How is the salt consistent? The salt will vary and a different salt will be created for each password stored in the DB. i.e. different users will use different 'salt' codes. But the salts are stored next to the password hash. Both informations are used in order to validate a password (the 'salt' to modify the encryption algorithm, like making an unique one, and the stored hash to validate the result of the password that is been authenticated).
1
 
LVL 51

Assisted Solution

by:Julian Hansen
Julian Hansen earned 125 total points
ID: 41833157
Does password_verify automatically generate a salt in conjunction with password_hash?
From the docs for password_verify()
Verifies that the given hash matches the given password.

Note that password_hash() returns the algorithm, cost and salt as part of the returned hash. Therefore, all information that's needed to verify the hash is included in it. This allows the verify function to verify the hash without needing separate storage for the salt or algorithm information.

From the docs for password_hash()
Supported Options:

    salt - to manually provide a salt to use when hashing the password. Note that this will override and prevent a salt from being automatically generated.

If omitted, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation.

Answer:
password_verify() does not generate anything - it verifies a hash created by password_hash() which does include a salt unless you specifically tell it not to.
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 41833645
Yes, password_verify() automatically handles the salt and the encryption algorithm.  You want to use the PASSWORD_DEFAULT algorithm.  A careful reading of the online man pages will explain why.  The PASSWORD_DEFAULT algorithm may change in the future, and your code will generally be future-proof if you use PASSWORD_DEFAULT.

Direct string comparisons of two outputs from identical password_hash() do not work correctly.  The salt is not consistent, but it is returned as part of the output from password_hash().  To verify, you need to use password_verify() and test for True or False.

Here's my teaching example showing the way it works.  If you run it, you will see that subsequent calls to the hashing algorithm may generate different hash values from identical passwords.
https://iconoun.com/demo/password_hashing.php
<?php // demo/password_hashing.php
/**
 * Show how to hash and verify a password with binary-safe transport over the internet
 *
 * Store the result in a database column that can expand to 255 characters
 *
 * http://php.net/manual/en/book.password.php
 * http://php.net/manual/en/function.password-hash.php
 * http://php.net/manual/en/function.password-verify.php
 */
error_reporting(E_ALL);

/**
 * The Interface defines the two main activities
 */
Interface Hash_Interface
{
    public function hash($pass);
    public function verify($pass, $hash);
}

class Concrete_Hash Implements Hash_Interface
{
    public function hash($pass, $algo=PASSWORD_DEFAULT)
    {
        // DECLOP WHITESPACE BEFORE HASHING
        $text = trim($pass);

        // HASH THE PASSWORD TEXT
        $data = password_hash($pass, $algo);

        // MAKE IT base64() STRING SAFE FOR STORAGE AND TRANSMISSION
        return base64_encode($data);
    }

    public function verify($pass, $hash)
    {
        // DECODE THE base64() STRING INTO THE HASH
        $hash = base64_decode($hash);

        return password_verify($pass, $hash);
    }
}


// INSTANTIATE A HASHING OBJECT FROM THE CLASS
$h = new Concrete_Hash();

// INITIALIZE VARS FOR LATER USE IN THE HTML FORM
$pass = $hash = NULL;

// IF ANYTHING WAS POSTED SHOW THE DATA
if (!empty($_POST["pass"]))
{
    $pass = $_POST['pass'];
    $hash = $h->hash($_POST["pass"]);
    echo "<br/>PASSWORD <b>$pass</b> YIELDS HASH ";
    echo "<i>$hash</i>";
}

if (!empty($_POST["hash"]))
{
    $result = $h->verify($_POST["pass"], $_POST['hash']);
    if  ($result) echo "<br/>PASSWORD <b>{$_POST["pass"]}</b>       PASSES        VERIFICATION WITH HASH <i>{$_POST['hash']}</i> ";
    if (!$result) echo "<br/>PASSWORD <b>{$_POST["pass"]}</b> <b><i>FAILS</i></b> VERIFICATION WITH HASH <i>{$_POST['hash']}</i> ";
}


// CREATE THE FORM USING HEREDOC NOTATION
$form = <<<FORM

<style type="text/css">
.txt {
    width:60em;
}
</style>

<form method="post">
<br><br>
<input class="txt" name="pass" value="$pass" />
<input type="submit" value="HASH THIS PASSWORD" />
<br><br>
<input class="txt" name="hash" value="$hash" />
<input type="submit" value="VERIFY $pass WITH THIS HASH" />
</form>
FORM;

echo $form;

Open in new window

0
 

Author Closing Comment

by:burnedfaceless
ID: 41835080
Good stuff, PHP makes this really easy.
1
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 41877702
1

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
Introduction Many web sites contain image galleries; a common design for these galleries includes a page with a collection of thumbnail images.  You can click on each of the thumbnail images to see the larger version of the image.  This is easily i…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now