Possible to login without the digits in the password

Question

I just discovered that my password-protected area is not that protected. Passwords are required to use digits. Now, if the password has the digits at the end, somehow the login is accepted as long as the az part of the password is correct. Why is that and how can I correct that? (PHP 5.4.28)

function generate_hash($password)
{
    $salt = openssl_random_pseudo_bytes(22);
    $salt = '$2a$%13$' . strtr($salt, array('_' => '.', '~' => '/'));
    return crypt($password, $salt);

}

$bind = array(":email" => $email, ":password" => crypt($password, generate_hash($password) ) );
            $results = $db->select("users", 'email=:email AND password=:password', $bind);

Answer 1

I don't know about the specifics of your problem, but you're using the hash completely wrong. To use crypt , you do the following:

On registration:

• create a random salt
• create the $salt argument in a proper format: $2a$xx$... (note: no % , that may contribute to the problem)
• hash the password with crypt($password, $salt)
• store the hash in the database

On login:

• retrieve the password hash from the database based on the entered email
• generate a hash using crypt($enteredPassword, $databaseHash)
• compare the two hashes

You're not doing that at all. You should probably also use password_hash instead, which takes care of a lot of pitfalls in the usage of the raw crypt API.