undefined | Better HN

0 pointsbungle13y ago0 comments

I don't think they store three hashes, but just try to validate password with three hashes.

Something inline this: https://github.com/bungle/web.php/blob/master/password.php#L...

0 comments

2 comments · 1 top-level

sehe13y ago· 1 in thread

What's the password doing on their server?

Also, why is there no salt in the comparison. It calls a naked crypt, that whole ... interesting ... hash() function is sitting there unused.

I have serious doubts whether this code actually serves the user's interest - despite trying to be cute and helpful

bungleOP13y ago

You seemingly don't understand a bit about it. And you seemingly doesn't understand how crypt works. Let me educate you:

1. When user registers, his password is hashed with that hash-function, and that hash is stored in a database (it uses random salt).

2. When user tries to access the site, a password is hashed against the hash stored in a database, and it should return same hash if matched (this is how crypt works!).

3. In non strict mode we try also two different passwords to match the hashes (just like Facebook does).

Code example:

1. $hash = \password\hash('user entered password'); // store it to db

2. retrieve hash from db, and check it:

$valid = \password\check('user entered password', $hash, false);

3. // Now these passwords are valid:

'user entered password' // == correct form

'User entered password' // == Mobile browser capitalizing first char

'USER ENTERED PASSWORD' // == CAPS LOCK on

And one line example:

$valid = \password\check('user entered password', \password\hash('user entered password'), false); // == true

j / k navigate · click thread line to collapse