Check bcrypt passwords always fails Phalcon php

Question

I have a little issue with checking bcrypted passwords with Phalcon php. What I have is : Login script where I check the password

$username = $this->request->getPost('username', 'string');
            $password = $this->request->getPost('password', 'string');
            $conditions = "Username = :username:";
            $parameters = array (
                "username" => $username
            );

            $user = Users::findFirst(array($conditions, 'bind' => $parameters));
            //check if user exists
            if (count($user) > 0 && $user !== false) {

                if ($this->security->checkHash($password, $user->Password))  //always fails {
                    //login 
                    $this->session->set('username', $user->Password);
                    $this->response->redirect('index');

                }

In my Registration I have :

$name = $this->request->getPost('name', 'string');
            $lastName = $this->request->getPost('lastName', 'string');
            $username = $this->request->getPost('username', 'string');
            $password = $this->request->getPost('password', 'string');
            $email = $this->request->getPost('email', 'email');

            $user = new Users(); //model
            $user->Name = $name;
            $user->LastName = $lastName;
            $user->Username = $username;
            $user->Password = $this->security->hash($password);
            $user->Email = $email;
            if ($user->save() == true) {
                //registered
            } else {
                //error
            }

It seems like I am doing everything accordind to the documentation but it doesn't seem to work. Could anybody help me please.

Answer 1

In your database the stored password must be the encrypted value of jt26 , ie, the product of $this->security->hash('jt26') . Probably you stored the password first and then implemented the register / login function. Just replace jt26 in your database with the string generated by $this->security->hash('jt26') and everything should start working.

It produces different string each and every time.Should it be like that?

Yes, that's exactly what it should do. See this for details. The salt is always randomly generated (unless provided), based on which the hash is generated. When verifying the password, Bcrypt uses salt to regenerate the hash and then checks that it matches.