Thanks for the help.
[member=46186]Kevin Rubio[/member]: my php support the password hash and password verify…and the test worked too… But i just keeping having Invalid password…it cannot find the match and i just do not understand that…really pissed me off
Post a zip of your current code and an SQl dump of your database so I can test it on my system
If the passwords aren’t matching, what is the difference between how they are added to the database ( hash used ) and when you check?
There’s nothing in your code that could tell you that the password is wrong. If [tt]password_verify()[/tt] fails, then you don’t give any feedback at all (which is a bad idea).
What you do have is a check if the user exists. In that case, you print “Wrong values”. So is this the error you’re getting? Then I suspect the [tt]PDOStatement::rowCount()[/tt] check. This method is strictly for [tt]INSERT[/tt], [tt]UPDATE[/tt] and [tt]DELETE[/tt] queries (check the manual). Misusing it for [tt]SELECT[/tt] queries is unreliable and may not work at all.
The extra check is useless, anyway. Just call [tt]PDOStatement::fetch()[/tt]. If it returns an associative array, you know the user exists, otherwise the user doesn’t exist. You should also get rid of the [tt]try[/tt]-[tt]catch[/tt] statement and leave the exception alone. PDO errors are not meant to be seen by users (this is actually dangerous, because it exposes internal information).
So a sanitized version of the code might look like this:
[php]<?php
$userStmt = $pdo->prepare(’
SELECT
password
FROM
user_registration
WHERE
email = :email
');
$userStmt->execute([
‘email’ => $_POST[‘email’],
]);
$user = $userStmt->fetch(PDO::FETCH_ASSOC);
if ($user && password_verify($_POST[‘pwd’], $user[‘password’]))
{
header(‘Location: /home.html.php’);
exit;
}
else
{
echo ‘Incorrect e-mail address or password.’;
}[/php]
Note how the control flow ensures that the user gets proper feedback in any case: If the e-mail address or the password (or both) are wrong, then an error message is displayed.
There's nothing in your code that could tell you that the password is wrong.
You must have missed line 62
I have not, because that’s the line I’m talking about. The check doesn’t tell if the password is incorrect. There’s no [tt]else[/tt] branch, tthe code just keeps running and renders the whole page with no feedback whatsoever.
So when the OP claims to get an error along the lines of “The password is incorrect”, that can’t be true. Either the error message actually comes from the [tt]PDO::rowCount()[/tt] check, or the OP just guesses that there’s a password problem.
My point is: I’m interested in the actual symptoms, not a personal interpretation of the symptons.
Yeah, hard for me to get a good read on the site when I have to scroll code. Once I pasted it into my IDE and deleted the fluff, it was much more clear.
First of all, thanks for your reply and help…i have made a form register/login with sha1…it worked great…but I will try again with password hash and verify…to sort it out…
It will work great if you want to get hacked. Dont use sha.
My personal favorite,
[php]hash( ‘whirlpool’, $password);[/php]
I always use “password” or “123456” for my passwords. No one would ever think I would use something that simple. Practically hack proof. Sometimes I use my birthday. In case I forget my password I can just go to my profile page and see what my birthday is.
Umm, nice to know, but that isn’t what it is. whirlpool is the hash algorithm used.
Never heard of it. Have to check it out. What can you tell me about it? I thought it was some joke I didn’t get.
Abusing Whirlpool to hash passwords is a terrible idea and in no way better than MD5, SHA-1 or whatever.
Whirlpool is not a password hash algorithm at all. It’s a rather obscure cryptographic primitive which can be used by algorithm designers to construct message authentication codes, signature algorithms etc. That’s its sole purpose (although I have never seen it actually being used outside of dubious PHP tutorials).
When you hash passwords with it, Whirlpool fails miserably, because even consumer hardware can easily calculate around 1 billion(!) hashes per second (see the benchmarks of the oclHashcat tool). That means the average password has no chance of survival. You might as well have stored it as plaintext. On top of that, Whirlpool lacks even the most basic features of modern password hash algorithms like a cryptographic salt or an adjustable strength. In that regard, it’s little more than a fancy version of MD5.
If you want to store passwords, there are currently only four valid choices:
[ul][li]bcrypt[/li]
[li]scrypt[/li]
[li]Argon2[/li]
[li]PBKDF2[/li][/ul]
For all practical purposes, you want bcrypt.
I guess I was right, Whirlpool is a joke.
Well, I will upgrade the crypto used in future projects and look into SHA3 derivatives.
You will be current and safe with password_hash and password_verify (Bcrypt)
Then you’d make the same mistake yet again: SHA-3 was never intended for password hashing and is completely unsuitable for this purpose, because it provides no brute-force resistance whatsoever. Trying around 3 billion passwords per second is not a problem on high-end consumer hardware. This rate can be further increased by using specialized hardware (ASICs) or cloud services.
Cryptography is an exact science. Every tool has a very specific purpose and must be used in a very specific way. If you pick an algorithm just because it sounds good, things will go wrong.
So again: If you use anything other than the four algorithms mentioned above, you’ll end up with no security at all. And that’s not a joke.
It is strongly advised to use the recommended password hashing function, which is handily available at all time using password_hash/password_verify. If you use this library and send in PASSWORD_DEFAULT as your wanted algorithm, PHP will automatically use what is considered the most secure algo.
At the moment this algorithm is Bcrypt, which is preferred as as it has been through some extensive testing and abuse, ti’s designed to withstand asic/gpu cracking, it properly generates good salts, etc.
Even with the most recommended algo you can still do it wrong. With Bcrypt you can adjust the cost factor, which is an exponential work load value. Remember password hashing is supposed to be slow (it’s one of the only defences we have against brute forcing), so pick a cost that gives you a fair trade off between UX, server load, and security. 12-15 seems to be normal these days, which should take .1 - .25 seconds.
And for the love of god, please use a verified library instead of implementing your own version of it. Getting the algo, salt, etc correct is not something you should be fiddling witch, unless you’re one of the few who actually make these things (you probably aren’t).
To extend on this - the reason is that you’d want to use Bcrypt is that
SHAx aren’t password hashing algorithms. They are designed to give you a “unique” hash value for a given set of data. This is actually something we don’t want, as that would lead to every user having the same password getting the same hash. Also, these data checksum hashes are something you want to generate fast - and fast is something we definitely don’t want when talking about passwords. You could argue it’s just to implement salting to the SHAx hashing to make it secure, but doing this correctly isn’t as easy as just appending a “random” value. And as always, don’t roll your own crypto.
PBKDF2 just isn’t quite there, it’s so good it can be used, but the possibility to crack it on asic/gpu’s is pretty bad.
Bcrypt is what’s considered the best we have, it’s specifically designed to not “work” on GPUs, it’s tested and proven, and has good support on various systems/languages/libraries.
Scrypt is not considered battle tested enough.
Argon2 just won the password hashing competition, and may be great but definitely needs some time in the field before we know its safe.
In tech new isn’t always better, especially security we want to rigorously test before using.