I am relatively new to php, and just beginning to grasp the point of salt when it comes to hashing passwords (I think?). Anyways, here's my problem...
Right now I have a mysql database with a username, password, salt field. The password field length is 64 chars, the salt field is 3 chars. Upon registry, each username is assigned a random salt. I am not having any issues with this (I believe). First, the user's desired password is hashed via:
$hashedinput = hash ('sha256', $input);
The user's desired password is then hashed with the salt included with pbkdf2 by the following procedure, and entered in the database:
$password = pbkdf2('sha256', $hashedinput, $salt, 10000, 64);
My problem is the log in. When comparing the hashed password in the database to the password the user inputs, it always comes back !=. Here is what I do to validate login:
$userData = mysql_fetch_array($search, MYSQL_ASSOC);
$inputhash = hash('sha256', $input); // From Form
$salt = $userData['salt']; // Salt from DB
$password = pbkdf2('sha256', $inputhash, $salt, 10000, 64);
$knownpassword = $userData['password']; // Known password from DB
So, to troubleshoot I echo'd all the outputs and this is what it looks like when I enter the CORRECT password (and it doesn't log me in):
Input password: 3d8bc905668c1a1cca5b53a78941d3ca4673e12df6ac5e98e19fa47b153406f6e66913e43bf60478907ca07429b0cf90c808ce2097e0544cc44d298bfb7b85ad
DB password: 3d8bc905668c1a1cca5b53a78941d3ca4673e12df6ac5e98e19fa47b153406f6
Note that the input password has the first 64 characters correct, but it continues to go on for 128 chars total. The DB password is just 64.
Thanks ahead of time!
