Authenticate a user login with salt

Question

I'm using salt to encrypt my users' passwords. I'm using PHP, and here's a quick sample of what happens during a users registers.

Here it is:

PHP code:

    // Gives me my random key. My salt generator.
    $salt = uniqid(mt_rand());

    // My password via what users inputs.
    $userpwd;

    // Then the encryption. I use a HMAC hash.
    $encrypted = hmac_hash("sha256", $userpwd, $salt);
?>

Now that all works for me in my script. But my question is, how do I authenticate a user logging in? The new encrypted password is random, so I can't compare the password from the login form to the saved encrypted password in the database.

I've searched and can't find a solution. Maybe I haven't searched hard enough, but is there a way to decrypt the password? What can I do to authenticate the user with my script?

Answer 1

You need to generate a unique salt for each user's password, and then store the value of the salt somewhere you can retrieve it. For example, by saving the salt to a user table along with the username and hashed password. That way you can extract the known salt and run it through your function when you go to authenticate a user.

Here is an article that contains more information: Storing Passwords - done right!

And for more information about salts: salt-generation-and-open-source-software

Answer 2

You hash the user's inputted password the same way, then compare if the hash is the same as the one you stored.

if (hmac_hash("sha256", $_POST['password'], $saltFromDatabase) === $hashFromDatabase)
    $login = true;

You also have to store the salt since it's different for each user. I would also recommend using a second salt that is constant across the application (stored on a hard config file, so that even if the database is compromised, the passwords are still safe).

Note: Hashing is not the same as encryption; It is an irreversible process.

Answer 3

You don't decrypt what you've stored. You hash the entered password and compare it with what was stored at registration. This is because if two hashes match then (to all intents and purposes) you can be confident that the source data matches.

Answer 4

You encrypt the password used to log in and compare it with the encrypted password in your database. :)

Answer 5

You compute the hash of the password user has entered, just as you do when registering them. Note that the code is semi-pseudo code, you need to adapt it to your libraries or functions.

$res = db('SELECT etc FROM users WHERE user=? AND pass=?',
    $_POST['user'], hmac_hash("sha256", $_POST['pass'], $salt));
if(numRows($res) > 0) {
    // continue with authentication
}

If the salt is stored in the db, then you have to either fetch it first, or do the comparison in the db.

Answer 6

Your salt needs to be constant, and not random. That way when you are checking the password against the hash, all you have to do is hash the input with the salt again, and the resulting hash should be the same as what came out before.