After some troubleshooting, I determined that when I use a password using the PHP password_hash function, the encryption identifier is $ 2y $. However, when I use the password_verify function to compare the stored hashed password with the user's password, password_verify will not return true. If I create a new password using the identifier $ 2a $ at https://www.bcrypt-generator.com/ and replacing the stored hashed password with it, it will return true.
I hope someone can explain why password_hash ($ password, PASSWORD_DEFAULT) uses $ 2y $ and why password_verify () uses $ 2a $. Or anything else that I could do wrong here, for that matter. I am doing this locally on a WAMP server with PHP version 7.0.10.
Here is an example of the code I'm having problems with (identifier $ 2y $ does not return true).
<?php // $hashNotWorking came from password_hash("testing", PASSWORD_DEFAULT)."\n"; $hashNotWorking = '$2y$10$DNPos6f7Vo4Z2IrYU./eCObD7BMkwlkK9yiYjb0hvnI14B1dbFHbC'; if (password_verify('testing', $hashNotWorking)) { echo 'Password is valid!'; } else { echo 'Invalid password.'; } ?>
The following is an example of code that works ($ 2a $ NOT encryption generated by password_hash).
<?php // $hashWorking came from https://www.bcrypt-generator.com/ $hashWorking = '$2a$08$uP75n/pDhUZo6qOOM3DuPug5U2fcSXW4f3MUz8p3SlO5yPZ4fLf9O'; if (password_verify('testing', $hashWorking)) { echo 'Password is valid!'; } else { echo 'Invalid password.'; } ?>
Thanks in advance for your help.
source share