Following is my password stored hash:
$P$Di4MXJKUkkJRfzrpffssNdasSN3XAg0
I am trying to authenticate my Xenforo password like this:
$newHash = $crypt($userPass, $stored_hash);
return $newHash === $stored_hash;
For example:
my password is: 123456
my password stored hash is: $P$Di4MXJKUkkJRfzrpffssNdasSN3XAg0
So I am writing following code to authenticate:
$newHash = crypt("123456", "$P$Di4MXJKUkkJRfzrpffssNdasSN3XAg0");
return $newHash === "$P$Di4MXJKUkkJRfzrpffssNdasSN3XAg0";
Can any one suggest me how can I authenticate?
Thanks in advance.
You would have to compare the new hash with the old one like this:
$existingHash = "$P$Di4MXJKUkkJRfzrpffssNdasSN3XAg0";
$newHash = crypt("123456", $existingHash);
$isSamePassword = $newHash === $existingHash;
I would recommend to use this hash algorithm only for backwards compatibility, for new hashes you should use a slow algorithm with a cost factor. The easiest and safest way would be to use the password_hash() function:
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
Edit:
After a quick research i found out that the signature $P$ is used by the phpass library, in case that no safe hash algorithm is available. In absence of alternatives it uses an iterated MD5 hash scheme. You could try to include the phpass library (the code is available) to check your hashes.