Password hashing and verification using PHP's password_hash function
P粉798010441
P粉798010441 2023-10-13 23:55:11
0
2
768

Lately I've been trying to implement my own security on a login script I stumbled across on the internet. After struggling to learn how to make my own script to generate a salt for each user, I stumbled upon password_hash.

From what I understand (based on reading this page), when you use password_hash the salt is already generated on the line. This is real?

My other question is, wouldn't it be wise to have 2 types of salt? One directly in the file and one in the database? This way, if someone corrupts the salt in the database, you can still save the salt directly in the file? I read here that storing salt is never a smart idea, but it always confuses me what people mean by that.

P粉798010441
P粉798010441

reply all(2)
P粉520545753

Yes, you understand correctly, the function password_hash() will generate the salt by itself and include it in the generated hash value. It is absolutely correct to store the salt in the database, even if it is known to do its job.

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($_POST['password'], PASSWORD_DEFAULT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($_POST['password'], $existingHashFromDb);

The second salt you mentioned (the one stored in the file) is actually the pepper or server side key. If you add it before hashing (just like salt), then you're adding pepper. There is a better way though, you can first calculate the hash and then encrypt (both ways) the hash using a server side key. This allows you to change the key if necessary.

Contrary to the salt, this key should be kept secret. People often mix it up and try to hide the salt, but it's better to let the salt do its job and add the secret with the key.

P粉310931198

It is recommended to use password_hash to store passwords. Don't separate them into databases and files.

Suppose we have the following input:

$password = $_POST['password'];

You first hash the password by doing the following:

$hashed_password = password_hash($password, PASSWORD_DEFAULT);

Then view the output:

var_dump($hashed_password);

As you can see, it is hashed. (I assume you followed these steps).

Now you store this hashed password in the database, Make sure your password column is large enough to accommodate the hash value (at least 60 characters or longer) . When the user asks to log in, you can check the entered password using a hash in the database as follows:

// Query the database for username and password
// ...

if(password_verify($password, $hashed_password)) {
    // If the password inputs matched the hashed password in the database
    // Do something, you know... log them in.
} 

// Else, Redirect them back to the login page.

Official reference

Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template