Menu
I was just reading about the new features in PHP 5.5 and it includes new password hashing functionality (http://www.php.net/manual/en/function.password-hash.php). Now if you look at the description, the default operation of it is to randomly generate a password salt if you don't specify one.
But I don't see how that is useful. Because if you are hashing the password for safe storage and the salt is random. Then when you run the string the user enters for the password through, the resulting hash will be different each time if the salt is different each time. Therefore you would be unable to compare, successfully, a valid password entered versus a stored copy of the password hash.
So how can this be useful at all?
660
The salt is included in the hash value.
<?php
$hash = password_hash("password", PASSWORD_DEFAULT, ['salt' => 'saltsaltsaltsaltsaltsa']);
print_r(password_get_info($hash));
echo $hash;
Outputs:
Array
(
[algo] => 1
[algoName] => bcrypt
[options] => Array
(
[cost] => 10
)
)
$2y$10$saltsaltsaltsaltsaltsOPRDjePxJkNp7mjBEve63IqKPFT7ehNG
As you can see, the hashing function stores information about the hashing process in the hash itself. The password_verify() function then parses the hash and validates the password based on this information.
163
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
