Password.check

$password.check($correctHash) -> boolean

Description

Returns true if this password is an exact match of $correctHash, which is how Password objects are saved to the database via the Db module.

A hash looks something like this: $2y$10$ko.tlm3NGWCegJqo...

SecurityThis method uses PHP's password_verify function to protect against timing attacks. Never compare passwords with ==. Use this method instead.

$tryPassword = Input.post('password')

if $tryPassword.check($correctHash) {
    // Good. Log in...
}

Full Example

$correctPassHash = getCorrectHash()
$tryPass = Input.post('password')

if $tryPass.check($correctPassHash) {
    // Good. Log in...
}

fn getCorrectHash {

    $query = sql'''
        select password from user where userId = {}
    '''

    $userId = Session.get('userId')
    $user = Db.getRow($query.fill($userId))

    return $user.password
}

Rate Limiting

Calls to this method are rate-limited to prevent brute force attacks.

It is currently limited to 30 failed attempts per hour. This is large enough that normal users should not be affected, but automated attempts will be slowed considerably. At this rate, a 10,000 word dictionary attack would take about 13 days.

The rate limit applies in 2 ways: to the client IP address, and to the password itself. This dual approach will help mitigate site-wide distributed attacks (e.g. from a botnet) and attacks that target a specific user.

Attempts beyond this limit will be returned as a failed match. Because it does not respond with feedback on the rate limit, most bots will continue to make attempts, but will have zero chance at finding the correct match.

To help prevent a Denial of Service (DoS) from this approach, IP addresses that have successfully used this password in the past 10 days will bypass the rate limit.

Back: Password