Using PHP 5.5's password_hash and password_verify Functions for Secure Password Storage
Question:
When using PHP 5.5's password_hash() function to store user passwords, should the salt be stored separately from the hash?
Answer:
No, storing the salt separately from the hash is incorrect. The password_hash() function generates a string that contains both the hash and the salt. Here's the proper way to use it:
$hashAndSalt = password_hash($password, PASSWORD_BCRYPT); // Insert $hashAndSalt into database against user
To verify the password:
if (password_verify($password, $hashAndSalt)) {
// Verified
}This approach provides optimal security as it prevents attackers from accessing the salt and compromising the hash. Additionally, it is recommended to use mysqli instead of ext/mysql, which is deprecated in PHP 5.5, and to be aware of SQL injection vulnerabilities.
The above is the detailed content of Should I Store the Salt Separately When Using PHP's `password_hash()`?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
