我正在使用phpass的 bcrypt 功能在我的网站上散列密码。现在,它真的行不通了。试图与CheckPassword函数进行比较是行不通的。我对通过我用来解密哈希的每个函数输出的每个字符串进行了大量调试,得出的结论是 bcrypt 生成的哈希是非常随机的。因此,新生成的明文密码哈希永远不会与我数据库中的哈希匹配。真的吗?如果是这样,我到底要如何让它工作?源代码相当简单。
// when creating user
<db insert code>$hash->HashPassword($_POST['password']);
// when logging in
return $hash->CheckPassword($user->password, $_POST['password']);
Edit: The problem is you have the order wrong, you need the password, then the stored hash.
$check = $hasher->CheckPassword($password, $stored_hash);
This matters, as I said before (below) the stored hash is used to decide how to hash the password to compare, hence your wrong argument order will cause failure.
Answer from before:
You don't decrypt a hash, you check it by hashing the comparable data in the same way. BCrypt hashes include the hash, the salt and the number of rounds, so there should be no problem in checking this.
The reason that the hashes are never the same is the salt will be different each time. This is to protect from rainbow table attacks.
As far as I can tell, your check is sound. The problem must be elsewhere. Are you sure that $user->password actually contains the hash in full? BCrypt hashes are 60 characters, so make sure it isn't being truncated.