Password is not equal i hashing

I have problem in authenticating a hashed password… I don’t know what’s wrong but I know it’s not the values…

Here’s the code in hashing a password before saving into db

:




	public function beforeSave()

	{

		

		  $ph=new PasswordHash(Yii::app()->params['phpass']['iteration_count_log2'], Yii::app()->params['phpass']['portable_hashes']);

		  $this->password=$ph->HashPassword($this->repeat_password); //repeat_pass is the confirmation part which is equal to this->password, which i replaced because I think it would be redundant with the assigned variable.

		

		return parent::beforeSave();

	}



Then this one will auuthenticate the pass…


else if(!$ph->CheckPassword($this->password, $record->password))

            $this->errorCode=self::ERROR_PASSWORD_INVALID;

This is then the CheckPAss code:


function CheckPassword($password, $stored_hash)

	{

		$hash = $this->crypt_private($password, $stored_hash);

		if ($hash[0] == '*')

			$hash = crypt($password, $stored_hash);


		return $hash == $stored_hash;

	}

-Chabx

Hi, Sler.

Could you please show your HashPassword( ) method?

Have a look at that extension: http://www.yiiframework.com/wiki/292/secure-password-hashing-with-bcrypt/

It works fine for me.

Cheers,

Phil.

Your beforeSave() method will always store a new hash when the user model is being saved. Does that happen outside the context of a password change? Because then, an empty string will be hashed and stored.

function HashPassword($password)

{


	$random = '';





	if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {


		$random = $this->get_random_bytes(16);


		$hash =


		    crypt($password, $this->gensalt_blowfish($random));


		if (strlen($hash) == 60)


			return $hash;


	}





	if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) {


		if (strlen($random) < 3)


			$random = $this->get_random_bytes(3);


		$hash =


		    crypt($password, $this->gensalt_extended($random));


		if (strlen($hash) == 20)


			return $hash;


	}





	if (strlen($random) < 6)


		$random = $this->get_random_bytes(6);


	$hash =


	    $this->crypt_private($password,


	    $this->gensalt_private($random));


	if (strlen($hash) == 34)


		return $hash;





	# Returning '*' on error is safe here, but would _not_ be safe


	# in a crypt(3)-like function used _both_ for generating new


	# hashes and for validating passwords against existing hashes.


	return '*';


}

Here it is. :)

I will never have password change. That’s one limit of my system. But The hashing of the password is for create only. It will not be updated… The only time it will be used is the creation of a new user account and the retriveing of data when a specific user logins.

Why dont’ you call the same method both when saving a hash and when comparing a typed in password at login time, like:




function CheckPassword($password, $stored_hash) {

    $ph = new PasswordHash(Yii::app()->params['phpass']['iteration_count_log2'], Yii::app()->params['phpass']['portable_hashes']);

    $hash = $ph->HashPassword($password);


    return $hash == $stored_hash;

}



?

How do I code it in beforeSave, what parameter will replace storedHash


public function beforeSave()

{




$ph=new PasswordHash(Yii::app()->params['phpass']['iteration_count_log2'], Yii::app()->params['phpass']['portable_hashes']);

// $ph is also redundant if I put 

$ph->CheckPassword(this->repeat_password, <dunno what to put here.>);


//$this->password=$ph->HashPassword($this->repeat_password);


return parent::beforeSave();

} 

Is this safe to assume?




public function beforeSave()

	{

		

		  $ph=new PasswordHash(Yii::app()->params['phpass']['iteration_count_log2'], Yii::app()->params['phpass']['portable_hashes']);


		 [this code here] $this->password=$ph->HashPassword($this->password);[/this code here]		

		

return parent::beforeSave();

	}



Your implementation is not correct, the given code will hash the password value when a change occurs. It will work for the first time, but if the user changes something (not the password itself), the "beforeSave" method will hash the already hashed password.

I would not do in the "beforeSave" method. I prefer a rather explicit way for setting hashed password. You could do something like this:





class ModelWithPassword extends CActiveRecord{


  public function setNewPassword($password) {

  {

    $this->password = hashFunction($password);

  }

}




class ControllerThatHandlesRegistration extends CController {

  public function actionRegister()

  {

     $model = new ModelWithPassword();

     if (isset($_POST['ModelWithPassword'])) {

        $model->attributes = $_POST['ModelWithPassword'];

        if ($model->validate()) {

          $model->setNewPassword($model->password);

          $model->save();

        }

     }

  }

}




THIS PROBLEM HAS BEEN RESOLVED. Please prefer to my new problem the Roles given to a user. Thannks

Would you kindly tell us what went wrong, then? :)

PASSWORD storage at database is only string(16), while when I has HASH String(60), values is not stored correctly, thus comparing makes it impossible to be identical…