Compared Digest with Salted Password Hash Lab9_1

           else {//Secure password hash format
                            if (crypt($_REQUEST['pass'], $row['pass']) == $row['pass']) {
                                    $_SESSION['user'] = $row['user'];
                                    $logged_in = true;

Hi there,

On Lab 9_1, secure password hash login.php - solution,

the following if statement doesn’t seems to make any sense.

typically crypt(password,salt) will generate a password digest.

2ndly, we store the crypt password into the database with a salt crypt(password)

So how am I going to compare o.0?


Out of curiousity, I have actually tried this from PHP: crypt - Manual,

<?php $hashed_password = crypt('mypassword'); // let the salt be automatically generated /* You should pass the entire results of crypt() as the salt for comparing a password, to avoid problems when different hashing algorithms are used. (As it says above, standard DES-based password hashing uses a 2-character salt, but MD5-based hashing uses 12.) */ if (crypt('mypassword', $hashed_password) == $hashed_password) { echo "Password verified!"; } ?>

So I have answered my own question.

Original post by defalcator