Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

I think there are more than a few problems with your usage. Number one is that, from the password_hash() documentation that:

password_hash() creates a new password hash using a strong one-way hashingalgorithm. password_hash() is compatible with crypt().Therefore, password hashes created by crypt() can be used with password_hash().

The following algorithms are currently supported:

  • PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0).Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change overtime. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).
  • PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, or FALSE on failure.
  • -x-SNIP-x-

Supported options for PASSWORD_BCRYPT:

  • salt (string) - to manually provide a salt to use when hashing the password.Note that this will override and prevent a salt from being automatically generated.

    If omitted, a random salt will be generated by password_hash() foreach password hashed. This is the intended mode of operation.

    Warning
    The salt option has been deprecated as of PHP 7.0.0. It is nowpreferred to simply use the salt that is generated by default.

  • cost (integer) - which denotes the algorithmic cost that should be used. Examples of these values can be found on the crypt() page. If omitted, a default value of 10 will be used. This is a good baseline cost, but you may want to consider increasing it depending on your hardware.
You are prepending the '$2y$' string to the output, meaning all of your hashes will begin with '$2y$$2y$', and likely will not be valid when compared with any other generation.

Second, while the PHP documentation for their function recommends not using your own salt, it is also likely not written with the idea of using in concert with another implementation. The salt required for bcrypt is 16 octets for Crypt::Eksblowfish::Bcrypt, but the version required for the PHP implementation is the 22 octet base_64 version:

$ perl -MCrypt::Eksblowfish::Bcrypt -le ' print q{Type: }, q{$2y$}; print q{Cost: }, q{08$}; print q{Salt: }, Crypt::Eksblowfish::Bcrypt::en_base64( q{123456789ABCDEF0} ); print q{Crypt: }, Crypt::Eksblowfish::Bcrypt::en_base64( Crypt::Eksblowfish::Bcrypt::bcrypt_hash( { cost => 8, key_nul => 1, salt => q{123456789ABCDEF0}, }, q{mypassword}, ), );' Type: $2y$ Cost: 08$ Salt: KRGxLBS0Lxe3OSHBPCTEK. Crypt: Z5VFP/2zEj1MNFdSZntUvutFe5uqO6S $ $ php -a Interactive shell php > echo password_hash("mypassword", PASSWORD_BCRYPT, php ( [ 'cost' => 8, 'salt' => 'KRGxLBS0Lxe3OSHBPCTEK.', ], ); $2y$08$KRGxLBS0Lxe3OSHBPCTEK.Z5VFP/2zEj1MNFdSZntUvutFe5uqO6S php > ^D $
When placed in the same format, you will see that the results are indeed the same:
PHP: $2y$08$KRGxLBS0Lxe3OSHBPCTEK.Z5VFP/2zEj1MNFdSZntUvutFe5uqO6S Perl: $2y$08$KRGxLBS0Lxe3OSHBPCTEK.Z5VFP/2zEj1MNFdSZntUvutFe5uqO6S '$2y$' - Identify to crypt() the format used (bcrypt - '$2y$') '08$ - Identify the cost value used 'KRGxLBS0Lxe3OSHBPCTEK.' - Salt value used ('123456789ABCDEF0'). 'Z5VFP/2zEj1MNFdSZntUvutFe5uqO6S' - Hashed password ('mypassword').

Hope that helps.


In reply to Re: use Crypt::Eksblowfish::Bcrypt to create a password the same as password_hash in PHP by atcroft
in thread use Crypt::Eksblowfish::Bcrypt to create a password the same as password_hash in PHP by DaisyLou

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others surveying the Monastery: (5)
    As of 2020-12-04 20:19 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?
      How often do you use taint mode?





      Results (62 votes). Check out past polls.

      Notices?