How to use PHP's password_hash function for password hashing and verification

Question

Lately I have been trying to implement my own security on a login script I found on the internet. While trying to learn how to generate a salt per user, I stumbled upon password_hash.

As far as I understand (from reading on this page), when using password_hash, the salt is already generated in the line. is this real?

I have another question, is it wise to use two salts? One directly in the file and one in the database? This way, if someone cracks the salt in the database, you still have that salt in the file. I've read here that storing salt is never a wise idea, but I've always been confused by what people mean by this.

Answer 1

Yes, you understand correctly, the function password_hash() will automatically generate a salt and include it in the generated hash value. Storing the salt in the database is perfectly correct and will work even if it is known.

// 为在数据库中存储的新密码生成哈希值。
// 该函数会自动生成一个密码学安全的盐。
$hashToStoreInDb = password_hash($_POST['password'], PASSWORD_DEFAULT);

// 检查输入的登录密码的哈希值是否与存储的哈希值匹配。
// 盐和成本因素将从$existingHashFromDb中提取。
$isPasswordCorrect = password_verify($_POST['password'], $existingHashFromDb);

The second salt you mention (the one stored in the file) is actually a "pepper" or server side key. If you add it before the hash (like salt), then you're adding a kind of pepper. However, there is a better way, you can calculate the hash first and then encrypt (two-way encryption) the hash using a server-side key. This way you can change the key if necessary.

Unlike the salt, this key should be kept secret. People often get confused and try to hide the salt, but it's better to let the salt do its thing and use the key to add the secret.

Answer 2

Using password_hash is the recommended way to store passwords. Don't store them separately into database and files.

Suppose we have the following input:

$password = $_POST['password'];

First hash the password by:

$hashed_password = password_hash($password, PASSWORD_DEFAULT);

Then check the output:

var_dump($hashed_password);

You can see that it has been hashed (I assume you have completed these steps).

Now store this hashed password into the database, Make sure your password column is large enough to accommodate the hash value (at least 60 characters or longer) . When the user asks to log in, you can check if the hash in the database matches the password input via:

// 查询数据库以获取用户名和密码
// ...

if(password_verify($password, $hashed_password)) {
    // 如果密码输入与数据库中的哈希密码匹配
    // 做一些操作，你懂的...登录他们。
} 

// 否则，将他们重定向回登录页面。

Official reference