Issue with Bcrypt not verifying correctly

问题

I'm using a script that ircmaxell wrote called password_compat. I thought I followed his instructions correctly, but I cannot seem to get my password verified using password_verify($password, $hash).

The hashed password saved in my database is;

$2y$10$zYpSzIj7kTPv3H7wDI/uXSYqi1se46b38uumP6SM4XGMmsjU3q

I'm using PDO to grab my hashed password and using password_verify($password, $hash) to compare what the login form is posting. It's my understanding that BRCYPT is not a hashing function so password_verify($password, $hash) will do it's magic. I have no idea how the salt is created, but I would think it creates a custom salt for every new password, but how it can compare it to my saved password baffles me. How does it match the correct salt with the password? This whole not saving the salt in my database kind of confuses me, lol. Here is the code I'm using;

bcrypt

if($login->verifyip($_SERVER['REMOTE_ADDR']))
{
    require_once 'password.php'; //password_compat supplied file

    $username   = $_POST['username'];
    $password   = $_POST['password'];
    $dbpassword = $login->GetPassword($username); // pull saved password from db

    // verify posted password with saved password
    if(password_verify($dbpassword, $password))
    {
        echo 'verified';
    }
    else
    {
        echo 'not verified';
    }
}

PDO

public function GetPassword($username)
{
    $passwordSQL = 'CALL get_password(:_user)'; // using stored procedure
    try
    {
        $pdo = new PDO('my login stuff');
        $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        $password = $pdo->prepare($passwordSQL);
        $password->bindParam(':_user',$username);
        $password->execute();
        $fetch = $password->fetchColumn(0);
        $password->closeCursor();
        return $fetch;
    }
    catch(PDOException $e)
    {
         return 'error' . $e->getMessage();
         exit();
    }        
}

I removed $hash like blender suggested.

Thanks for having a look :)

回答1:

password_verify's arguments are the other way around:

password_verify($password, $dbpassword)

As for how it works, the hash is of this form:

$<algorithm>$<cost>$<salt>/<hash>

So from the hash:

$2y$10$zYpSzIj7kTPv3H7wDI/uXSYqi1se46b38uumP6SM4XGMmsjU3q

You can see that the cost is 10, the salt is zYpSzIj7kTPv3H7wDI and that bcrypt(salt + password) is uXSYqi1se46b38uumP6SM4XGMmsjU3q.

password_verify extracts that information from your supplied hash and just checks if bcrypt(salt + password) == hash.

来源：https://stackoverflow.com/questions/16246082/issue-with-bcrypt-not-verifying-correctly