How to use PHP's password_hash in Android

Question

I have a password stored in a database, which was encrypted using PHP's password_hash hashing algorithm.

Example:

password_hash("pass", PASSWORD_DEFAULT);

Would produce the hash:

$2y$10$3e6a/J0xDd1LONdnbkp5nud.WwS3.gV3aHBTYX6r4Bq2BxZTjDCZu 

From PHP's documentation:

PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).

PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, or FALSE on failure. Supported Options:

As it says that it uses the bcrypt algorithm, would there be a way of generating the same hash shown above within my android application client side?

I have tried implementing this using jBcrypt without results.

Answer 1

I didn't understand why you need to reproduce the same hash in your mobile app but, I guess, you could try this:

PHP password_verify

You could send the password from you mobile app using a another encryption, decrypt it in you php server and use password_verify.

I'm counting you have a password salt in your server to make passwords stronger.

Hope that helps

Answer 2

Yes, you can recreate the hash on the Android side, but this does not solve your encryption problem. If you send the hash in the clear, an attacker can simply replay the hash, and access your system without having to know the password.

The output of the password_hash function includes the algorithm, cost option, and salt before the actual hash (2y tells you the algorithm, 10 is the cost option in your example). You need to input this into the crypt function on the Android end by supplying the these parameters. Normally you just supply the whole output as the input to the crypt function, but this is the token you are trying to validate to begin with, so you need to extract only the parts you need with salt depending on the algorithm you use.

The simplest way to do that is to use an existing digest implementation like this, and use a cipher that is supported by the server and client sides like CRYPT_SHA256 or CRYPT_SHA512.

But to reiterate, you should just properly use encryption.