Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

use Crypt::Eksblowfish::Bcrypt to create a password the same as password_hash in PHP

by DaisyLou (Sexton)
on Aug 14, 2019 at 15:38 UTC ( [id://11104453]=perlquestion: print w/replies, xml ) Need Help??

DaisyLou has asked for the wisdom of the Perl Monks concerning the following question:

Greetings monks

I want to create two passwords that are encrypted in the same way in Perl and PHP (so I can authenticate against them). In PHP, it's easy:

<?php echo "$2y$" . password_hash("mypassword", PASSWORD_BCRYPT); ?>

In Perl, not as easy. I've installed Crypt::Eksblowfish::Bcrypt, but can't figure out how to get it to provide the same hashed password as PHP. Any ideas?

Thank you in advance for your Perl wisdom.

Replies are listed 'Best First'.
Re: use Crypt::Eksblowfish::Bcrypt to create a password the same as password_hash in PHP
by Your Mother (Archbishop) on Aug 14, 2019 at 16:53 UTC

    Give this a shot. The algorithm version is faked/copied in the Perl to match the PHP… Don’t know how this is going to play with apache auth…

    use strictures; use feature "say"; use Crypt::Eksblowfish::Bcrypt "en_base64", "de_base64", "bcrypt_hash" +; my $pass = shift || "passw0rd"; my $php_pass = qx{php -r 'echo password_hash($pass, PASSWORD_BCRYPT);' +}; my ( $algorithm, $cost, $salt_pass ) = grep length, split /\$/, $php_p +ass; my $salt = substr $salt_pass, 0, 22; my $perl_hash = en_base64( bcrypt_hash({ cost => $cost, key_nul => 1, salt => de_base64($salt) }, $pass ) ); my $perl_pass = sprintf '$%s$%d$%s%s', $algorithm, $cost, $salt, $perl +_hash; say " PHP $pass -> ", $php_pass; say "Perl $pass -> ", $perl_pass;
    PHP passw0rd -> $2y$10$ThWGjh5Jly8qP6FMQApQ3OQElLLuwN03jlZMFdQngphJw7 +U5NCukG Perl passw0rd -> $2y$10$ThWGjh5Jly8qP6FMQApQ3OQElLLuwN03jlZMFdQngphJw7 +U5NCukG
Re: use Crypt::Eksblowfish::Bcrypt to create a password the same as password_hash in PHP
by atcroft (Abbot) on Aug 14, 2019 at 19:20 UTC

    I think there are more than a few problems with your usage. Number one is that, from the password_hash() documentation that:

    password_hash() creates a new password hash using a strong one-way hashingalgorithm. password_hash() is compatible with crypt().Therefore, password hashes created by crypt() can be used with password_hash().

    The following algorithms are currently supported:

    • PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0).Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change overtime. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).
    • PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, or FALSE on failure.
    • -x-SNIP-x-

    Supported options for PASSWORD_BCRYPT:

    • salt (string) - to manually provide a salt to use when hashing the password.Note that this will override and prevent a salt from being automatically generated.

      If omitted, a random salt will be generated by password_hash() foreach password hashed. This is the intended mode of operation.

      Warning
      The salt option has been deprecated as of PHP 7.0.0. It is nowpreferred to simply use the salt that is generated by default.

    • cost (integer) - which denotes the algorithmic cost that should be used. Examples of these values can be found on the crypt() page. If omitted, a default value of 10 will be used. This is a good baseline cost, but you may want to consider increasing it depending on your hardware.
    You are prepending the '$2y$' string to the output, meaning all of your hashes will begin with '$2y$$2y$', and likely will not be valid when compared with any other generation.

    Second, while the PHP documentation for their function recommends not using your own salt, it is also likely not written with the idea of using in concert with another implementation. The salt required for bcrypt is 16 octets for Crypt::Eksblowfish::Bcrypt, but the version required for the PHP implementation is the 22 octet base_64 version:

    $ perl -MCrypt::Eksblowfish::Bcrypt -le ' print q{Type: }, q{$2y$}; print q{Cost: }, q{08$}; print q{Salt: }, Crypt::Eksblowfish::Bcrypt::en_base64( q{123456789ABCDEF0} ); print q{Crypt: }, Crypt::Eksblowfish::Bcrypt::en_base64( Crypt::Eksblowfish::Bcrypt::bcrypt_hash( { cost => 8, key_nul => 1, salt => q{123456789ABCDEF0}, }, q{mypassword}, ), );' Type: $2y$ Cost: 08$ Salt: KRGxLBS0Lxe3OSHBPCTEK. Crypt: Z5VFP/2zEj1MNFdSZntUvutFe5uqO6S $ $ php -a Interactive shell php > echo password_hash("mypassword", PASSWORD_BCRYPT, php ( [ 'cost' => 8, 'salt' => 'KRGxLBS0Lxe3OSHBPCTEK.', ], ); $2y$08$KRGxLBS0Lxe3OSHBPCTEK.Z5VFP/2zEj1MNFdSZntUvutFe5uqO6S php > ^D $
    When placed in the same format, you will see that the results are indeed the same:
    PHP: $2y$08$KRGxLBS0Lxe3OSHBPCTEK.Z5VFP/2zEj1MNFdSZntUvutFe5uqO6S Perl: $2y$08$KRGxLBS0Lxe3OSHBPCTEK.Z5VFP/2zEj1MNFdSZntUvutFe5uqO6S '$2y$' - Identify to crypt() the format used (bcrypt - '$2y$') '08$ - Identify the cost value used 'KRGxLBS0Lxe3OSHBPCTEK.' - Salt value used ('123456789ABCDEF0'). 'Z5VFP/2zEj1MNFdSZntUvutFe5uqO6S' - Hashed password ('mypassword').

    Hope that helps.

Re: use Crypt::Eksblowfish::Bcrypt to create a password the same as password_hash in PHP
by Your Mother (Archbishop) on Aug 14, 2019 at 16:13 UTC

    I don't think bcrypt works the way you think it does.

    php -r 'echo "$2y$" . password_hash("mypassword", PASSWORD_BCRYPT) . " +\n";' $2y$$2y$10$Pq.17Hp0vw10lK0yngUt8ekXcJQCaqZIpX9dmPIReNcJtGv.GoGaK php -r 'echo "$2y$" . password_hash("mypassword", PASSWORD_BCRYPT) . " +\n";' $2y$$2y$10$cj/nikeT8n7LhGlXsDd5F.brT6CKrCNsF4yAQjFwbUmAnobWRhkW6
Re: use Crypt::Eksblowfish::Bcrypt to create a password the same as password_hash in PHP
by 1nickt (Canon) on Aug 14, 2019 at 15:54 UTC

    Hi again, I use Crypt::Eksblowfish::Bcrypt for password hashing, but only wrapped in Dancer2::Plugin::Passphrase, because I use the Dancer2 web application framework wherever possible. (What are you building on, btw?) So I am no expert at all, but the first place I would look is into what your PHP library is using for salting the hash.

    Hope this helps!


    The way forward always starts with a minimal test.
      According to https://www.php.net/manual/en/password.constants.php, it uses a random salt. I'm looking to do this for Apache basic authentication.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://11104453]
Approved by haukex
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others lurking in the Monastery: (8)
As of 2024-03-28 09:21 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found