I have a site with a user area and admin area. In the admin area, I have a page for creating users and a page for creating admins. On the users and admins pages, I used the code below to hash passwords:

$hasher = new PasswordHash(8, false);
$password = $HTTP_POST_VARS['password'];
$hash = $hasher->HashPassword($password);
$HTTP_POST_VARS['password'] = $hash;

For the user page, the code to check the password is:

$hasher = new PasswordHash(8, false);
$check = $hasher->CheckPassword($password, $arrData[$conf['PASSWORD']['FIELD']]);
if ($check) {
    //login...
}

This works fine perfectly. My user passwords are hashed and it correctly checks the passwords. I use identical code on the admin login page, however, it is not working. It pulls the correct information from the database, but when CheckPassword is used, the passwords do not match. I think it might have something to do with salting because the beginning part of the passwords seem to be the same.

By the way, I am using PHP 4.3.

I think it might have something to do with salting because the beginning part of the passwords seem to be the same.

I don't know why you might think that, however the beginning parts of the password-hashes (!) should be the same. The hashes created by bcrypt use the modular crypt format that does not just contain the hash value but also an indicator of the used hash function, the number of rounds, and the salt that has been used to create the hash value. That is the part that is the same. See as well a related question I copied this information over from:

• Phpass - danger of not being able to access all passwords?

This might not answer your question but hopefully clarifies some details for you so that you do not look in the wrong places.

I have the database set to allow for 50 characters now. Does anyone know the longest hash phpass will generate?

That depends on the used hash function. In the article How to manage a PHP application's users and passwords by the author of Phpass, the following example Mysql database schema is given:

create database myapp;
use myapp;
create table users (user varchar(60), pass varchar(60));

You see here, this is a VARCHAR(60). This implies that 60 characters max are enough.

From another perspective, Wordpress uses Phpass as well and has the following password column definition:

user_pass VARCHAR(64)

That implies that 64 characters should be enough for them. However keep in mind that Wordpress also support other hashes, so this might be just a general value and not Phpass specific.

See as well:

• Portable PHP password hashing framework (I'd say this is the minimum must-read, read it if you want to learn more)
• Portable (PHPass) password hashes. Should I use them?

I think I figured it out. The table storing the admin passwords wasn't storing the entire hash. I can't believe I didn't realize that earlier.

I have the database set to allow for 50 characters now. Does anyone know the longest hash phpass will generate?