basic php pbkdf2 hashing

2019-06-01 15:12发布

I am relatively new to php, and just beginning to grasp the point of salt when it comes to hashing passwords (I think?). Anyways, here's my problem...

Right now I have a mysql database with a username, password, salt field. The password field length is 64 chars, the salt field is 3 chars. Upon registry, each username is assigned a random salt. I am not having any issues with this (I believe). First, the user's desired password is hashed via:

$hashedinput = hash ('sha256', $input);

The user's desired password is then hashed with the salt included with pbkdf2 by the following procedure, and entered in the database:

$password = pbkdf2('sha256', $hashedinput, $salt, 10000, 64);

My problem is the log in. When comparing the hashed password in the database to the password the user inputs, it always comes back !=. Here is what I do to validate login:

$userData = mysql_fetch_array($search, MYSQL_ASSOC);
$inputhash = hash('sha256', $input); // From Form
$salt = $userData['salt']; // Salt from DB
$password = pbkdf2('sha256', $inputhash, $salt, 10000, 64);
$knownpassword = $userData['password']; // Known password from DB

So, to troubleshoot I echo'd all the outputs and this is what it looks like when I enter the CORRECT password (and it doesn't log me in):

Input password: 3d8bc905668c1a1cca5b53a78941d3ca4673e12df6ac5e98e19fa47b153406f6e66913e43bf60478907ca07429b0cf90c808ce2097e0544cc44d298bfb7b85ad

DB password: 3d8bc905668c1a1cca5b53a78941d3ca4673e12df6ac5e98e19fa47b153406f6

Note that the input password has the first 64 characters correct, but it continues to go on for 128 chars total. The DB password is just 64.

Thanks ahead of time!

1条回答
走好不送
2楼-- · 2019-06-01 15:38

Thomas Ptacek wrote a great article a while back explaining - in some detail - what salt is, why it's useful, and gave the #1 rule you need to memorize regarding password hashing systems:

Use someone else’s password system. Don’t build your own.

If you are going to be using PHP 5.5 in your application, use the new password_hash API; if you're not, make sure you're using at least PHP 5.3 and use the password_hash userland compatability library. They are designed to take all the pain out of this for you.

查看更多
登录 后发表回答