yii CPasswordHelper: hashPassword and verifyPassword

by

CPasswordHelper works like PHP’s functions password_hash() and password_verify(), they are wrappers around the crypt() function. When you generate a BCrypt hash, you will get a string of 60 characters, containing the salt.

// Hash a new password for storing in the database.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

The variable $hashToStoreInDb will now contain a hash-value like this:

$2y$10$nOUIs5kJ7naTuTFkBy1veuK0kSxUFXfuaOKdOKf9xYT0KKIGSJwFa
 |  |  |                     |
 |  |  |                     hash-value = K0kSxUFXfuaOKdOKf9xYT0KKIGSJwFa
 |  |  |
 |  |  salt = nOUIs5kJ7naTuTFkBy1veu
 |  |
 |  cost-factor = 10 = 2^10 iterations
 |
 hash-algorithm = 2y = BCrypt

The salt you can find after the third $, it is generated automatically by password_hash() using the random source of the operating system. Because the salt is included in the resulting string, the function password_verify(), or actually the wrapped crypt function, can extract it from there, and can calculate a hash with the same salt (and the same cost factor). Those two hashes are then comparable.

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

More Related Contents:

  1. Salting Your Password: Best Practices? [closed]
  2. Hash and salt passwords in C#
  3. How does password salt help against a rainbow table attack?
  4. Salt and hash a password in Python
  5. Best Practices: Salting & peppering passwords?
  6. How long to brute force a salted SHA-512 hash? (salt provided)
  7. Best practice for hashing passwords – SHA256 or SHA512?
  8. Do I need a “random salt” once per password or only once per database?
  9. Why hash_equals and password_verify are not working properly?
  10. Secure hash and salt for PHP passwords
  11. Difference between Hashing a Password and Encrypting it
  12. Are mutable hashmap keys a dangerous practice?
  13. Is it worth hashing passwords on the client side
  14. SHA512 vs. Blowfish and Bcrypt [closed]
  15. Probability of SHA1 collisions
  16. What is the optimal length for user password salt? [closed]
  17. What algorithm should I use to hash passwords into my database? [duplicate]
  18. Do I need to store the salt with bcrypt?
  19. How to create a laravel hashed password
  20. password_hash returns different value every time
  21. When is CRC more appropriate to use than MD5/SHA1?
  22. Why do salts make dictionary attacks ‘impossible’?
  23. Can two different strings generate the same MD5 hash code?
  24. Why is ‘397’ used for ReSharper GetHashCode override?
  25. Is MD5 still good enough to uniquely identify files?
  26. Why are XOR often used in java hashCode() but another bitwise operators are used rarely?
  27. Why not use MD5 for password hashing?
  28. How to “EXPIRE” the “HSET” child key in redis?
  29. Why are 5381 and 33 so important in the djb2 algorithm?
  30. node.js hash string?

Leave a Comment