PHP :: Bug #80744 :: password_verify fail to verify bcrypt hashes with cost below 4

Bug #80744	password_verify fail to verify bcrypt hashes with cost below 4
Submitted:	2021-02-13 13:11 UTC	Modified:	2021-02-13 14:12 UTC
From:	divinity76 at gmail dot com	Assigned:
Status:	Not a bug	Package:	*Encryption and hash functions
PHP Version:	8.0.2	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	divinity76 at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2021-02-13 13:11 UTC] divinity76 at gmail dot com

Description:
------------
password_verify fail to verify bcrypt hashes with cost below 4

Test script:
---------------
<?php
var_dump(password_verify("",'$2a$03$AAAAAAAAAAAAAAAAAAAAA.TCFhOtNOtk2Oeef1z4xP561tW1AQOMW'));

Expected result:
----------------
bool(true)

Actual result:
--------------
bool(false)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-02-13 13:58 UTC] php-bugs at allenjb dot me dot uk

I would posit that this response is correct:

The original OpenBSD implementation[0], which is the closest I believe exists to a specification for bcrypt, specifies a minimum number of 16 (2^4) rounds (BCRYPT_MINROUNDS in the OpenBSD source).

I would guess this is because lower values are likely vulnerable to the speed of brute-force cracking even at the time the algorithm was first proposed (and we've had over 2 decades of advances since then).

Following this "reference implementation", no library should ever generate a hash with a cost value of less than 4, and any such hashes that exist are therefore invalid.

[0] https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/crypt/bcrypt.c?rev=1.1&content-type=text/x-cvsweb-markup

[2021-02-13 14:03 UTC] divinity76 at gmail dot com

@allenjb 
interesting, does that mean that the self-test code on line 4 here should be increased from cost 0 to cost 4? since it's not actually testing a valid bcrypt hash in it's current form? 
https://github.com/php/php-src/blob/07fa13088e1349f4b5a044faeee57f2b34f6b6e4/ext/standard/crypt_blowfish.c#L814

[2021-02-13 14:12 UTC] nikic@php.net

-Status: Open +Status: Not a bug

[2021-02-13 14:12 UTC] nikic@php.net

No, the self-test is performed with a reduced minimum cost threshold (1 instead of 16).

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 01 14:01:37 2025 UTC