Home > Software engineering >  Does PHP have a password_verify bug?
Does PHP have a password_verify bug?

Time:05-22

The following code snippet should not emit 'MATCHED' because the password 'testtest' does not match 'testtesttest', but does on PHP 7.4.3 for me. Am I doing something wrong?

<?php
$sPass = 'testtesttest';
$sSalt = hash('sha256','this is my salt');
$sShadow = password_hash($sSalt . $sPass,PASSWORD_BCRYPT);
echo (password_verify($sSalt . 'testtest',$sShadow) ? 'MATCHED' : 'nomatch');

Note, if you remove the salt references above, the code works fine. It's like the password_hash and password_verify functions of PHP have a size limitation where they no longer become accurate if the string is longer than so many characters.

So, I'm thinking this is a bug.

CodePudding user response:

BCrypt can only handle 72 characters, your salt takes up 64 characters, so only 8 characters of your password are considered.

The input to the bcrypt function is the password string (up to 72 bytes), a numeric cost, and a 16-byte (128-bit) salt value.

Use the binary form of your salt to not "waste" as many characters or just don't use one at all, as password_hash will generate one anyway.

  • Related