Andrés Andrés - 1 year ago 99
PHP Question

PHP BCrypt for Ruby on Rails Devise passwords

I am trying to verify with PHP some passwords generated by Devise Ruby on Rails.
Devise was configured to use bcrypt.

My code is:

$database_record = "$2a$10$..."; // generated by devise
$user_input = 'asdasd';
$password = crypt($user_input, '$2a$10$usesomesillystringforsalt$');

if (crypt($user_input, $database_record) == $password) {
echo "<br/>Password verified!";
else {
echo '<br/>failed!'; }

The documentation that I saw are using this method, but it doesn't work for me. Am I forgetting something?
The "pepper string" should be used in any way?

Answer Source

I'm confused about this part.

$password = crypt($user_input, '$2a$10$usesomesillystringforsalt$');

I think you got confused by a later part of the documentation specifying how to create a hash and guarantee that it's bcrypt. In your case, you're verifying a hash so it will automatically do that.

What you want to do is skip that and do:

if (crypt($user_input, $database_record) == $database_record) {

So if this works how I'd expect it to, crypt($user_input, $database_record) will take the salt from $database_record and use it to run bcrypt on $user_input. Then you want to compare the result to $database_record again since it's the bcrypt hash of the correct password.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download