Solved

Does password_verify automatically detect the salt?

Posted on 2016-10-06
5
72 Views
Last Modified: 2016-11-07
As I understand password verify a salt is encrypted and added to the database, then it is added to the password so that a different hash is generated.

Does password_verify automatically generate a salt in conjunction with password_hash?

How is the salt consistent (so that the correct salt is used when the password is verified) but different (so that it doesn't defeat the purpose of a salt)?
0
Comment
Question by:burnedfaceless
5 Comments
 
LVL 14

Assisted Solution

by:Schnell Solutions
Schnell Solutions earned 125 total points
ID: 41833044
In a very simple summarization (not including complex details):

Normal password store without salt: The plain password is taken from the user input and this is used as the key to run a encryption algorithm (specifically a hash function) that will return as the result a one-way hash, which is going to be stored as the password hash. The problem is that at this point, if you look at all the hashes in the DB, if you detect that two of them are the same, it means that you have two different users using the same password (or a different password that produces a collision).

Password store with salt: A salt (random / pseudorandom number) is generated, (i.e. from system clock, cursor movement) at that 'salt' (that is going to be used just for one user) is taken in order to modify the encryption algorithm. It means that at this point we are not using a 100% standardized encryption algorithm, we are using a new version of the algorithm that has been modified by the SALT. Then this new algorithm takes the plain password from the user input and generates a password hash, which is going to be stored together with the 'salt' that was used to modify the encryption algorithm. At this point, even different users using the same password are going to appear with different hashes stored.

From a validation perspective, the 'salt' is read from the DB to recreate the modified encryption algorithm, then the algorithm is used inserting in it as input the plain password that is desired to verify, and if it matches the stored hash it means that the password is correct.

So, now answering the questions...

Does password verify automatically generate a salt in conjunction with password hash? Password verification uses the previously stored 'salt' to build the special modified encryption algorithm... we can say that the salt is not something secret at all, what continues been secret is the plain password used as input in the encryption algorithm.

How is the salt consistent? The salt will vary and a different salt will be created for each password stored in the DB. i.e. different users will use different 'salt' codes. But the salts are stored next to the password hash. Both informations are used in order to validate a password (the 'salt' to modify the encryption algorithm, like making an unique one, and the stored hash to validate the result of the password that is been authenticated).
1
 
LVL 54

Assisted Solution

by:Julian Hansen
Julian Hansen earned 125 total points
ID: 41833157
Does password_verify automatically generate a salt in conjunction with password_hash?
From the docs for password_verify()
Verifies that the given hash matches the given password.

Note that password_hash() returns the algorithm, cost and salt as part of the returned hash. Therefore, all information that's needed to verify the hash is included in it. This allows the verify function to verify the hash without needing separate storage for the salt or algorithm information.

From the docs for password_hash()
Supported Options:

    salt - to manually provide a salt to use when hashing the password. Note that this will override and prevent a salt from being automatically generated.

If omitted, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation.

Answer:
password_verify() does not generate anything - it verifies a hash created by password_hash() which does include a salt unless you specifically tell it not to.
0
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 41833645
Yes, password_verify() automatically handles the salt and the encryption algorithm.  You want to use the PASSWORD_DEFAULT algorithm.  A careful reading of the online man pages will explain why.  The PASSWORD_DEFAULT algorithm may change in the future, and your code will generally be future-proof if you use PASSWORD_DEFAULT.

Direct string comparisons of two outputs from identical password_hash() do not work correctly.  The salt is not consistent, but it is returned as part of the output from password_hash().  To verify, you need to use password_verify() and test for True or False.

Here's my teaching example showing the way it works.  If you run it, you will see that subsequent calls to the hashing algorithm may generate different hash values from identical passwords.
https://iconoun.com/demo/password_hashing.php
<?php // demo/password_hashing.php
/**
 * Show how to hash and verify a password with binary-safe transport over the internet
 *
 * Store the result in a database column that can expand to 255 characters
 *
 * http://php.net/manual/en/book.password.php
 * http://php.net/manual/en/function.password-hash.php
 * http://php.net/manual/en/function.password-verify.php
 */
error_reporting(E_ALL);

/**
 * The Interface defines the two main activities
 */
Interface Hash_Interface
{
    public function hash($pass);
    public function verify($pass, $hash);
}

class Concrete_Hash Implements Hash_Interface
{
    public function hash($pass, $algo=PASSWORD_DEFAULT)
    {
        // DECLOP WHITESPACE BEFORE HASHING
        $text = trim($pass);

        // HASH THE PASSWORD TEXT
        $data = password_hash($pass, $algo);

        // MAKE IT base64() STRING SAFE FOR STORAGE AND TRANSMISSION
        return base64_encode($data);
    }

    public function verify($pass, $hash)
    {
        // DECODE THE base64() STRING INTO THE HASH
        $hash = base64_decode($hash);

        return password_verify($pass, $hash);
    }
}


// INSTANTIATE A HASHING OBJECT FROM THE CLASS
$h = new Concrete_Hash();

// INITIALIZE VARS FOR LATER USE IN THE HTML FORM
$pass = $hash = NULL;

// IF ANYTHING WAS POSTED SHOW THE DATA
if (!empty($_POST["pass"]))
{
    $pass = $_POST['pass'];
    $hash = $h->hash($_POST["pass"]);
    echo "<br/>PASSWORD <b>$pass</b> YIELDS HASH ";
    echo "<i>$hash</i>";
}

if (!empty($_POST["hash"]))
{
    $result = $h->verify($_POST["pass"], $_POST['hash']);
    if  ($result) echo "<br/>PASSWORD <b>{$_POST["pass"]}</b>       PASSES        VERIFICATION WITH HASH <i>{$_POST['hash']}</i> ";
    if (!$result) echo "<br/>PASSWORD <b>{$_POST["pass"]}</b> <b><i>FAILS</i></b> VERIFICATION WITH HASH <i>{$_POST['hash']}</i> ";
}


// CREATE THE FORM USING HEREDOC NOTATION
$form = <<<FORM

<style type="text/css">
.txt {
    width:60em;
}
</style>

<form method="post">
<br><br>
<input class="txt" name="pass" value="$pass" />
<input type="submit" value="HASH THIS PASSWORD" />
<br><br>
<input class="txt" name="hash" value="$hash" />
<input type="submit" value="VERIFY $pass WITH THIS HASH" />
</form>
FORM;

echo $form;

Open in new window

0
 

Author Closing Comment

by:burnedfaceless
ID: 41835080
Good stuff, PHP makes this really easy.
1
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 41877702
1

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question