password_verify - PHP code example

Using the PHP Function Password_Verify

Every web application that allows users to authenticate needs to ensure their user passwords are afforded the best protection. Conventionally, this is done by storing only the hash of a password rather than the actual password itself. This is a great idea for the security of your users’ passwords but it also means that you need to verify that a given password hash matches the inputted password. This is where the php function password_verify comes in.

The php function password_hash() creates a strong one-way hash of the original password and the php function password_verify() matches this hash to the user inputted password. The advantage of using the php function password_verify() is that it includes all hashing information in the returned string, such as the algorithm, the cost and the salt value. This makes the function safe against timing attacks.

During a recent web assessment at Excellium, our Intrusion & AppSec team came across a web application that was using the bcrypt 1 hashing algorithm to secure their users’ passwords. The bcrypt algorithm is a recommended method for securely storing user passwords. However, the devil is in the details and our team discovered a few different vulnerabilities related to bcrypt.

During the assessment, our team found that the php function password_verify() was used to compare a given unhashed password with a stored one in the database. While this is a fine way to check for password matches, there are many other cases where you could use the much more versatile php function hash_equals() instead. This functions takes two arguments, the first being the unhashed password and the second being the hash that is stored in your database. The function will return a Boolean data type.

password_verify example

'username' => self::TEST_USERNAME,
            '--password' => $newPassword,
        ]);

        $expected = 'The password of user "' . self::TEST_USERNAME . '" has been changed successfully.';
        static::assertStringContainsString($expected, $commandTester->getDisplay());
        static::assertEquals(0, $commandTester->getStatusCode());

        /** @var UserEntity $user */
        $user = $this->userRepository->search(new Criteria([$userId]), $this->context)->first();

        $passwordVerify = password_verify($newPassword, $user->getPassword());
        static::assertTrue($passwordVerify);
    }

    public function testEmptyPasswordOption(): void
    {
        $commandTester = new CommandTester($this->getContainer()->get(UserChangePasswordCommand::class));

        static::expectException(\RuntimeException::class);
        static::expectExceptionMessage('The password cannot be empty');

        $commandTester->setInputs(['', '', '']);

->expects(static::exactly(\count($constraints)))->method('validate')
            ->willReturn($constraintViolations);

        $result = $this->serializer->encode($field, $existence, $kv, $params)->current();

        if ($inputPassword) {
            $inputPasswordHashed = !empty(password_get_info($inputPassword)['algo']);

            if ($inputPasswordHashed) {
                static::assertEquals($inputPassword, $result);
            } else {
                static::assertTrue(password_verify($inputPassword, $result));
            }
        }
    }

    /** * @return iterable<string, array<int|string|array<int, Constraint>|bool|null>> */
    public static function encodeProvider(): iterable
    {
        $minPasswordLength = 8;

if ($this->isPasswordTooLong($plainPassword)) {
            return false;
        }

        if (!str_starts_with($hashedPassword, '$argon')) {
            if (str_starts_with($hashedPassword, '$2') && (72 < \strlen($plainPassword) || str_contains($plainPassword, "\0"))) {
                $plainPassword = base64_encode(hash('sha512', $plainPassword, true));
            }

            // Accept validating non-argon passwords for seamless migrations             return password_verify($plainPassword, $hashedPassword);
        }

        if (\function_exists('sodium_crypto_pwhash_str_verify')) {
            return sodium_crypto_pwhash_str_verify($hashedPassword, $plainPassword);
        }

        if (\extension_loaded('libsodium')) {
            return \Sodium\crypto_pwhash_str_verify($hashedPassword, $plainPassword);
        }

        return false;
    }

    {
        if ('' === $plainPassword || $this->isPasswordTooLong($plainPassword)) {
            return false;
        }

        if (!str_starts_with($hashedPassword, '$argon')) {
            // Bcrypt cuts on NUL chars and after 72 bytes             if (str_starts_with($hashedPassword, '$2') && (72 < \strlen($plainPassword) || str_contains($plainPassword, "\0"))) {
                $plainPassword = base64_encode(hash('sha512', $plainPassword, true));
            }

            return password_verify($plainPassword, $hashedPassword);
        }

        if (\extension_loaded('sodium') && version_compare(\SODIUM_LIBRARY_VERSION, '1.0.14', '>=')) {
            return sodium_crypto_pwhash_str_verify($hashedPassword, $plainPassword);
        }

        if (\extension_loaded('libsodium') && version_compare(phpversion('libsodium'), '1.0.14', '>=')) {
            return \Sodium\crypto_pwhash_str_verify($hashedPassword, $plainPassword);
        }

        return password_verify($plainPassword, $hashedPassword);
    }

        $payload = $passwordFieldHandler->encode($field, $existence, $kvPair, new WriteParameterBag(
            $this->getContainer()->get(UserDefinition::class),
            WriteContext::createFromContext(Context::createDefaultContext()),
            '',
            new WriteCommandQueue()
        ));

        $payload = iterator_to_array($payload);
        static::assertNotEquals($kvPair->getValue(), $payload['password']);
        static::assertTrue(password_verify((string) $kvPair->getValue(), (string) $payload['password']));
    }

    public function testValueIsRequiredOnInsert(): void
    {
        $field = new PasswordField('password', 'password');
        $field->addFlags(new ApiAware(), new Required());

        $existence = new EntityExistence($this->getContainer()->get(UserDefinition::class)->getEntityName(), [], false, false, false, []);
        $kvPair = new KeyValuePair('password', null, true);

        $exception = null;

return \defined('PASSWORD_ARGON2ID');
    }

    /** * @param string $password * @param string $hash * * @return bool */
    public function isPasswordValid($password, $hash)
    {
        return password_verify($password, $hash);
    }

    /** * @param string $password * * @return string */
    public function encodePassword($password)
    {
        $hash = password_hash($password, PASSWORD_ARGON2ID, $this->options);

->with(
                'user',
                static::callback(static function Darray $data) use ($localeId): bool {
                    static::assertEquals('admin', $data['username']);
                    static::assertEquals('first', $data['first_name']);
                    static::assertEquals('last', $data['last_name']);
                    static::assertEquals('test@test.com', $data['email']);
                    static::assertEquals($localeId, $data['locale_id']);
                    static::assertFalse($data['admin']);
                    static::assertTrue($data['active']);

                    return password_verify('shopware', (string) $data['password']);
                })
            );
        $connection->expects(static::once())->method('fetchOne')->willReturn(json_encode(['_value' => 8]));
        $connection->expects(static::exactly(2))->method('createQueryBuilder')->willReturnOnConsecutiveCalls(
            new FakeQueryBuilder($connection, []),
            new FakeQueryBuilder($connection, [[$localeId]])
        );

        $user = [
            'firstName' => 'first',
            'lastName' => 'last',

  /** * {@inheritdoc} */
  public function check(#[\SensitiveParameter] $password, #[\SensitiveParameter] $hash) {     // Prevent DoS attacks by refusing to check large passwords.     if (strlen($password) > static::PASSWORD_MAX_LENGTH) {
      return FALSE;
    }

    return password_verify($password, $hash);
  }

  /** * {@inheritdoc} */
  public function needsRehash(#[\SensitiveParameter] $hash) {     return password_needs_rehash($hash, $this->algorithm, $this->options);
  }

}

if ($customer->hasLegacyPassword()) {
            if (!$this->legacyPasswordVerifier->verify($password, $customer)) {
                throw CustomerException::badCredentials();
            }

            $this->updatePasswordHash($password, $customer, $context->getContext());

            return $customer;
        }

        if ($customer->getPassword() === null
            || !password_verify($password, $customer->getPassword())) {
            throw CustomerException::badCredentials();
        }

        if (!$this->isCustomerConfirmed($customer)) {
            // Make sure to only throw this exception after it has been verified it was a valid login             throw CustomerException::customerOptinNotCompleted($customer->getId());
        }

        return $customer;
    }

$user = $builder->select(['user.id', 'user.password'])
            ->from('user')
            ->where('username = :username')
            ->setParameter('username', $username)
            ->executeQuery()
            ->fetchAssociative();

        if (!$user) {
            return null;
        }

        if (!password_verify($password, (string) $user['password'])) {
            return null;
        }

        return new User(Uuid::fromBytesToHex($user['id']));
    }
}

return PHP_VERSION_ID >= 50307;
    }

    /** * @param string $password * @param string $hash * * @return bool */
    public function isPasswordValid($password, $hash)
    {
        return password_verify($password, $hash);
    }

    /** * @param string $password * * @return string */
    public function encodePassword($password)
    {
        $hash = password_hash($password, PASSWORD_BCRYPT, $this->options);

return \defined('PASSWORD_ARGON2I');
    }

    /** * @param string $password * @param string $hash * * @return bool */
    public function isPasswordValid($password, $hash)
    {
        return password_verify($password, $hash);
    }

    /** * @param string $password * * @return string */
    public function encodePassword($password)
    {
        $hash = password_hash($password, PASSWORD_ARGON2I, $this->options);

->with(
                'user',
                static::callback(static function Darray $data) use ($localeId): bool {
                    static::assertEquals('admin', $data['username']);
                    static::assertEquals('first', $data['first_name']);
                    static::assertEquals('last', $data['last_name']);
                    static::assertEquals('test@test.com', $data['email']);
                    static::assertEquals($localeId, $data['locale_id']);
                    static::assertTrue($data['admin']);
                    static::assertTrue($data['active']);

                    return password_verify('shopware', (string) $data['password']);
                })
            );

        $connection->expects(static::once())->method('fetchOne')->willReturn(json_encode(['_value' => 8]));

        $connection->method('createQueryBuilder')->willReturnOnConsecutiveCalls(
            new FakeQueryBuilder($connection, []),
            new FakeQueryBuilder($connection, [[$localeId]])
        );

        $user = [

if ($grantType === 'client_credentials' && $clientSecret !== null) {
            if (!\is_string($clientIdentifier)) {
                return false;
            }

            $values = $this->getByAccessKey($clientIdentifier);
            if (!$values) {
                return false;
            }

            return password_verify($clientSecret, (string) $values['secret_access_key']);
        }

        // @codeCoverageIgnoreStart         throw OAuthServerException::unsupportedGrantType();
        // @codeCoverageIgnoreEnd     }

    public function getClientEntity($clientIdentifier): ?ClientEntityInterface
    {
        if (!\is_string($clientIdentifier)) {
            return null;
        }