I am migrating users from one environment to another and we need to verify the user passwords on this new environment. I'm trying to keep users from having to reset their passwords.
My plan is to get the inputted password on login, run it through the same process and see if I get as a result, the existing hash. Then I'll re-hash the password to the other standard.
The problem is, the current hash is being done using pbkdf2 with HMAC-SHA1 algo, 3000 runs.
If I put the information I get from the current site here I get the correct hash.
If I do the same using hash_pbkdf2 in PHP I get different results.
$hash = hash_pbkdf2('sha1', 'testing123', $salt, 3000, 16); // Found: cb2f9681a3bcad97
$base64 = base64_encode( $hash ); // Found: Y2IyZjk2ODFhM2JjYWQ5Nw==
For salt, I tried it in binary, hex, uppercase, lowercase, base64 decoded, encoded. I probably tried every variation.
The values for testing are:
Password: testing123
Runs: 3000
Length: 16
Salt: lg4YdsfGNm9zuRizCmk9rA==
Expected result in base64: b11fsnE0JKRaVJTS7uHDqQ==
I don't understand what I'm doing wrong.
Not sure why but the website you provided and the hash_pbkdf2() are not behaving the same :
hash_pbkdf2() divides by 2 the key length, so you have to double it to obtain the same hashhash_pbkdf2()'s result corresponds to the Hex field on the websiteThe following code will give you the same base64 value as on the website (according to above comments) :
$hash = hash_pbkdf2('sha1',
/* password */ 'testing123',
/* salt */ "lg4YdsfGNm9zuRizCmk9rA==",
/* iterations */ 3000,
/* key length *2 */ 32);
$bin = hex2bin($hash);
$base64 = base64_encode($bin);