I am basing my bcrypt creating off of this site
I have made some changes to it though so this is my version of the code : My version of bcrypt
I have started working on my login form and I have come the general understanding that to check a users credentials you must :
-
recreate the bcrypt
-
compare what the $_POST[‘password’] that is being submitted to the password you have stored in the database.
-
return a row count so if a row is returned where the password
that you recreated matches the already stored password then the row
count must == 1
What I am confused about :
- How do I let the checklogin form know what the bcrypt function was to
begin with? do I have to include the register script? – or do I have
to copy and paste the bcrypt function?
I have tried to implement this on my user authentication and for some reason it is not working for me.
This is my code hopfully some one sees a problem that i dont.
Any help would be greatly appreciated
What your code is trying to do is similar to how the old
md5()unsalted hashes were looked up; php calculates the hash and then the database lookup is done based on that hash value and the user name.Because your code is using a different salt each time when it needs to verify a given password, the lookup in the database would practically never work.
With bcrypt it works like this:
Fetch the database record based on the user name.
Use the stored password hash in there to compare against the posted password:
Tips
Generating a salt for bcrypt can be much easier (you don’t need 10k characters):
Also, the cost parameter of 17 is really big … unless you’re running serious hardware, you’re going to bring down the site when someone tries to brute force a password.