1

I am using a HTTP POST from android to some php script in order to update a users password in the database.

I am using the same SALT hash as is done when the user creates the account and the database update is running and changing the values of SALT however when I try to log in with the new password it is coming as incorrect.

The initial code for creating the password is:

public function storeUser($name, $email, $password, $rand) {
    $uuid = uniqid('', true);
    $hash = $this->hashSSHA($password);
    $encrypted_password = $hash["encrypted"]; // encrypted password
    $salt = $hash["salt"]; // salt
    $auth = 0;
    $result = mysql_query("INSERT INTO users(unique_id, authorized, auth_code, name, email, encrypted_password, salt, created_at) VALUES('$uuid', '$auth', '$rand', '$name', '$email', '$encrypted_password', '$salt', NOW())");
    // check for successful store
    if ($result) {
        // get user details 
        $uid = mysql_insert_id(); // last inserted id
        $result = mysql_query("SELECT * FROM users WHERE uid = $uid");
        // return user details
        return mysql_fetch_array($result);
    } else {
        return false;
    }
}

The hashing functions are:

 /**
 * Encrypting password
 * @param password
 * returns salt and encrypted password
 */
public function hashSSHA($password) {

    $salt = sha1(rand());
    $salt = substr($salt, 0, 10);
    $encrypted = base64_encode(sha1($password . $salt, true) . $salt);
    $hash = array("salt" => $salt, "encrypted" => $encrypted);
    return $hash;
}

/**
 * Decrypting password
 * @param salt, password
 * returns hash string
 */
public function checkhashSSHA($salt, $password) {

    $hash = base64_encode(sha1($password . $salt, true) . $salt);

    return $hash;
}

And finally the update function (where the problem is):

 /**
 * Updating a users
 * password
 */
public function updatePassword($email, $password) {
    $uuid = uniqid('', true);
    $hash = $this->hashSSHA($password);
    $encrypted_password = $hash["encrypted"]; // encrypted password
    $salt = $hash["salt"]; // salt

    $result = mysql_query("UPDATE users SET encrypted_password='$encrypted_password',  updated_at = NOW() WHERE email='$email'");
    $result = mysql_query("UPDATE users SET salt='$salt',  updated_at = NOW() WHERE email='$email'");


    // check for successful store
    if ($result) {
        // get user details
        $uid = mysql_insert_id(); // last inserted id
        $result = mysql_query("SELECT * FROM users WHERE email = '$email'");
        // return user details
        return mysql_fetch_array($result);
    } else {
        return false;
    }
}

As always any help greatly appreciated.

EDIT:

Login function as requested:

 /**
 * Get user by email and password
 */
public function getUserByEmailAndPassword($email, $password) {
    $result = mysql_query("SELECT * FROM users WHERE email = '$email'") or die(mysql_error());
    // check for result
    $no_of_rows = mysql_num_rows($result);
    if ($no_of_rows > 0) {
        $result = mysql_fetch_array($result);
        $salt = $result['salt'];
        $encrypted_password = $result['encrypted_password'];
        $hash = $this->checkhashSSHA($salt, $password);
        // check for password equality
        if ($encrypted_password == $hash) {
            // user authentication details are correct
            return $result;
        }
    } else {
        // user not found
        return false;
    }
}
EHarpham
  • 602
  • 1
  • 17
  • 34
  • Is the email address field unique? – stan Feb 24 '13 at 21:34
  • What does the login function look like? Your hashing function looks ok, except that there's no value to using the raw binary output of sha1 and concatenating the salt onto that. Just use the basic `sha1($password . $salt)` and skip the base64 encoding. Also, [consider using a stronger algorithm than sha1](http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php) – Michael Berkowski Feb 24 '13 at 21:38
  • Thanks for the reply. Could you please clarify? Each e-mail address stored in the database is unique however in SQL they are not set as as unique index. – EHarpham Feb 24 '13 at 21:39
  • Login function added as edit. – EHarpham Feb 24 '13 at 21:42
  • How to recover password when users forgot it? – Iman Marashi Sep 26 '15 at 18:59

1 Answers1

0

You have built a weak scheme to hash your passwords, because you use a single iteration of SHA1 as hash function, and because the salt is truncated to 10 characters and is generated with the cryptographically unsafe rand() function. Then you make your life harder than necessary with storing the salt in a separate field.

In your case i would strongly recommend to use the new functions password_hash() and password_verify() of PHP to get a strong BCrypt hash. They take care of the generation of a safe random salt, and the resulting string contains the hash-value as well the salt, so you can store it in a single field in your database. There exists a compatibilty pack for earlier PHP versions.

The easiest way to use this functions will be:

$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

To answer your question: I couldn't see an obvious reason why it doesn't work, often the problem is a database field that is too short. In your case you need place for a binary SHA1 with a 10 character salt added, that is base64_encoded (difficult to predict the necessary size). It can also be dangerous to combine the binary string from SHA1 (null bytes) with a normal string.

martinstoeckli
  • 23,430
  • 6
  • 56
  • 87