Using the PHP Function Password_Verify
Every web application that allows users to authenticate needs to ensure their user passwords are afforded the best protection. Conventionally, this is done by storing only the hash of a password rather than the actual password itself. This is a great idea for the security of your users’ passwords but it also means that you need to verify that a given password hash matches the inputted password. This is where the php function password_verify comes in.
The php function password_hash() creates a strong one-way hash of the original password and the php function password_verify() matches this hash to the user inputted password. The advantage of using the php function password_verify() is that it includes all hashing information in the returned string, such as the algorithm, the cost and the salt value. This makes the function safe against timing attacks.
During a recent web assessment at Excellium, our Intrusion & AppSec team came across a web application that was using the bcrypt 1 hashing algorithm to secure their users’ passwords. The bcrypt algorithm is a recommended method for securely storing user passwords. However, the devil is in the details and our team discovered a few different vulnerabilities related to bcrypt.
During the assessment, our team found that the php function password_verify() was used to compare a given unhashed password with a stored one in the database. While this is a fine way to check for password matches, there are many other cases where you could use the much more versatile php function hash_equals() instead. This functions takes two arguments, the first being the unhashed password and the second being the hash that is stored in your database. The function will return a Boolean data type.