Adam.M Adam.M - 24 days ago 12
PHP Question

Why is php password_verify and password_hash using different encryption identifiers?

After some troubleshooting, I have determined that when I hash a password using PHP's password_hash function, the encryption identifier is $2y$. However, when I use the password_verify function to compare the stored hashed password with the user input password, password_verify will not return true. If I generate a new password using the $2a$ identifier on https://www.bcrypt-generator.com/ and replace the stored hashed password with it, it returns true.

I'm hoping someone can explain why password_hash($password, PASSWORD_DEFAULT) is using $2y$ and why password_verify() is using $2a$. Or anything else I might be doing wrong here for that matter. I am doing this locally on WAMP Server running PHP Version 7.0.10.

Here is an example of the code I am having trouble with ($2y$ identifier will not return true).

<?php
// $hashNotWorking came from password_hash("testing", PASSWORD_DEFAULT)."\n";
$hashNotWorking = '$2y$10$DNPos6f7Vo4Z2IrYU./eCObD7BMkwlkK9yiYjb0hvnI14B1dbFHbC';

if (password_verify('testing', $hashNotWorking)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
?>


Here is an example of the code that is working ($2a$ encryption NOT generated by password_hash function).

<?php
// $hashWorking came from https://www.bcrypt-generator.com/
$hashWorking = '$2a$08$uP75n/pDhUZo6qOOM3DuPug5U2fcSXW4f3MUz8p3SlO5yPZ4fLf9O';

if (password_verify('testing', $hashWorking)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
?>


Thanks in advance for the help.

Answer

I suspect that there might have been whitespace introduced in the original hash and/or a <br>, or that some may have been introduced by the user.

I have seen cases like this often before.

If that is the case, trim() it.

Create a new hash as per what I mentioned in comments and it will work.

echo $var = password_hash("testing", PASSWORD_DEFAULT)."\n";

Then paste it in place of what your present hash is.