How do I register people? (Hash issue)

vortexhlp · Post by **vortexhlp** » Wed Feb 18, 2015 7:09 pm

Okay, so the issue that I have is figuring out how to login/register from my test page (outside of phpBB's directory). Obviously the bridge is there and it uses what phpBB needs to use to function but this whole phpass thing is difficult to figure out. Before I go on, let me just say that I have gone through many topics relating to this and after 2-days I decided to post here for help.

#1: I'm using Codeigniter, and php 5.5.x
#2: I'm still on phpbb 3.0.8
#3: I load the helper and have the following set: $data['hasher'] = new PasswordHash(8, false);

From what I understand, phpBB uses http://www.openwall.com/phpass/ which generates a unique hash, gets salted by something unique (not sure what though, is it hardware?), and so on... I followed this tutorial: http://sunnyis.me/blog/secure-passwords/ and the guide on the phpass website.

Here's the issue what I'm having...
The passwords listed in the database aren't at all the same size as they are when generating using phpass. They're like 34 characters or so but the hash is almost twice as long when generating. Now, I get that the hash will be different every time but I merely want to compare the value input to the database for login and insert a new hash when registering.

Checking to see if the hash is the same (not sure exactly what this does but I'm guessing it's phpass magic that checks to see if plain_password was converted and then can be understood?)

Code: Select all

$plain_password = "test";
$password_hashed = $hasher->HashPassword($plain_password);
if($hasher->CheckPassword($plain_password, $password_hashed)) {
    echo "YES, Matched";
} else {
    echo "No, Wrong Password";
}

Well, if we get the db value, how do we compare it?
$plain_password should be what the user input, let's pretend it's "test"
$password_hashed = $database_password_value; (the 32 character password from earlier)

then We run through the validation again right? if($hasher->CheckPassword etc....

The issue I'm having is that it keeps saying "No, Wrong Password". The database password is static, so it's not really pulling from the db but the db value is entered as plain text for test purposes.

Then, my next issue would be how do I convert $plain_password to a new password? Thanks a million in advance

AmigoJack · Post by **AmigoJack** » Thu Feb 19, 2015 8:08 am

Seems like you never looked into /includes/functions.php where both phpbb_hash() and phpbb_check_hash() are defined which do both jobs you're seeking.

vortexhlp · Post by **vortexhlp** » Thu Feb 19, 2015 8:13 pm

AmigoJack wrote:Seems like you never looked into /includes/functions.php where both phpbb_hash() and phpbb_check_hash() are defined which do both jobs you're seeking.

I feel good right about now

It turns out that I couldn't just use a library for codeigniter and phpass, it had to be specifically for phpBB since you guys do things a little differently. Plus it has $H$ variable instead of $P$ which changes everything. Now all the passwords store correctly and compares just fine

Guess my next step is to look into what phpBB does with cookies. Thanks for your help

advertisements