php - Verifying MD5 passwords using password_verify() -
is there way convert md5
password can verified password_verify()
?
i read on crypt wikipedia page "the printable form of md5
password hashes starts $1$
."
hence give shot (without luck):
$password = "abcd1234"; $md5hash = "$1$".md5($password); var_dump(password_verify($password, $md5hash));
is there way make password_verify()
work md5
passwords?
reason question: have old system passwords stored md5
hashes. want start using more secure password hashing api
. if i'm able convert existing password hashes works password_verify()
, can update database entries (prepend $1$
password hashes), , program work beautifully using following code (i don't have make special case old md5
passwords):
$password; // provided user when trying log in $hash; // loaded database based on username provided user if(password_verify($password, $hash)) { // following lines both update md5 passwords // , passwords whenever default hashing algorithm updated if(password_needs_rehash($hash, password_default)) { $hash = password_hash($password, password_default); // store new hash in database } // user logged in } else { // user not logged in }
you can't that.
what can hash already md5-hashed passwords via password_hash()
, put additional flag these old passwords in database, know double-verify them afterwards.
some sample code:
$passwordcompare = ($passwordisoldflag === true) ? md5($passwordinput) : $passwordinput; if (password_verify($passwordcompare, $passwordhash)) { if ($passwordisoldflag === true) { $passwordnewhash = password_hash($passwordinput, password_default); // here, you'd update database new, purely bcrypt hash // , set passwordisoldflag 0 } }
note: md5 produces 32 character length string, while password_hash()
minimum of 60.
read manual:
if , when decide use password_hash()
or compatibility pack (if php < 5.5) https://github.com/ircmaxell/password_compat/, important note if present password column's length lower 60, need changed (or higher). manual suggests length of 255.
you need alter column's length , start on new hash in order take effect. otherwise, mysql fail silently.
Comments
Post a Comment