Sorry, this may be dumb, but there is something I don’t understand about Phpass. If I can create a secure hashed password like this:
$pwdHasher = new PasswordHash(8, FALSE);
$hash = $pwdHasher->HashPassword( $password );
and later check it like this:
$checked = $pwdHasher->CheckPassword($password, $hash);
then that means that logically the passwords must be stored in such a way as they can only be read on a specific machine (otherwise someone could just use the “CheckPassword” function on another machine to get the password). How does Phpass do this?
If I need to move a website to a new server in the future, doesn’t this cause a problem? How do I safely backup my database such that in case of a major server failure, I can recover all the passwords? (Am I missing something obvious?)
Edit – in response to the comments below, if different machines do not affect it then if a hacker gets access to my database, why can’t they just execute CheckPassword on their own machine to get the original password? Sorry, I must be missing something obvious.
Edit 2 – Damn, I was missing something obvious. The compare function only checks the given password against the hashed one and returns true or false – you never actually have to have access to the password itself. Apologies for being dumb!
The hashes created by bcrypt use the modular crypt format that does not just contain the hash value but also an indicator of the used hash function, the number of rounds, and the salt that has been used to create the hash value. In your case the returned strings look like this:
That means everything you need to verify a password is stored in this string.
The reason why attackers can’t just use this string and get the original password is because of one significant property of a good cryptographic hash functions: “it is infeasible to generate a message that has a given hash.”