I’m working on a password hashing system using Blowfish encryption. I found this cool class online but I’m having trouble with it. Here’s what I’m doing:
require_once("secure_pass.php");
$encryptor = new SecureHash(8, FALSE);
$encryptor->CreateHash($_POST['user_pass']);
The weird thing is, when I input the same password (like ‘mypass123’), it gives me a different hash each time. That’s not like MD5 at all!
So now I’m stuck. How do I check if the password a user types matches what’s in my database? I tried this:
$encryptor->verifyPassword($_POST['user_pass'], "stored_hash_from_db");
But I get nothing. Blank screen. What am I doing wrong?
I’m just testing this locally, not for a real site yet. Any ideas on how to make this work? Or should I use something else instead?
I’ve been there, struggling with password hashing too. From what I see, you’re on the right track using Blowfish, but there’s an easier way in PHP.
Instead of that custom class, try PHP’s built-in functions: password_hash() for creating hashes and password_verify() for checking them. They’re designed specifically for this and handle all the tricky bits like salting automatically.
Here’s how I do it:
// Hashing
$hashed = password_hash($_POST['user_pass'], PASSWORD_BCRYPT);
// Verifying
if (password_verify($_POST['user_pass'], $stored_hash_from_db)) {
// Password correct
} else {
// Wrong password
}
Those different hashes you’re seeing for the same password? That’s actually a good thing. It’s a security feature to prevent certain types of attacks.
This approach is much simpler and considered very secure. Give it a shot and see if it solves your issues!
It looks like you’re on the right track with using Blowfish for password hashing, but there’s a simpler way to do this in PHP. Instead of using a custom class, you can use PHP’s built-in password_hash() and password_verify() functions. These are specifically designed for secure password handling.
Here’s how you can hash a password:
$hashedPassword = password_hash($_POST['user_pass'], PASSWORD_BCRYPT);
And to verify it later:
if (password_verify($_POST['user_pass'], $storedHashFromDb)) {
// Password is correct
} else {
// Password is incorrect
}
This approach automatically handles salting and is considered very secure. It’s also much easier to use than implementing your own hashing system. The different hashes you’re seeing for the same password are actually a good thing - it’s a security feature to prevent certain types of attacks.
hey, looks like ur using blowfish. try php’s built-in password_hash() and password_verify() functions instead. they handle salts and make things secure. those different hashes are intentional!