PHP and password hashing

[Joveice]

So I'm trying to hash passwords since I know if it's decryptable its not really safe since if I can decrypt it they can too.

This code is grabbed from php documentation. tho I don't find how this will work when i need to compare the password later on, if the hash is diffrent each time how does it know that the passwords are correct?

//This returns Invalid password.
<?php
/**
 * Note that the salt here is randomly generated.
 * Never use a static salt or one that is not randomly generated.
 *
 * For the VAST majority of use-cases, let password_hash generate the salt randomly for you
 */
$options = [
    'cost' => 11,
    'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
];
$pswhash = password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options)."\n";
echo $pswhash;
if (password_verify('rasmuslerdorf', $pswhash)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}
?>
// This returns Password is valid!
<?php
/**
 * Note that the salt here is randomly generated.
 * Never use a static salt or one that is not randomly generated.
 *
 * For the VAST majority of use-cases, let password_hash generate the salt randomly for you
 */
$options = [
    'cost' => 11,
    'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
];
echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options)."\n";
if (password_verify('rasmuslerdorf', password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options))) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}
?>

 

[vorticalbox]

Because the hash is within tolerance levels I assume. I have never really wondered why because it just works. you really don't need to need set any options 

 

$password = password_hash($_POST["password"], PASSWORD_DEFAULT);

 

[Joveice]

20 minutes ago, vorticalbox said:

Because the hash is within tolerance levels I assume. I have never really wondered why because it just works. you really don't need to need set any options 

 

$password = password_hash($_POST["password"], PASSWORD_DEFAULT);

 

And how do I verify it?

EDIT:

I fixed it  thanks

[vorticalbox]

3 hours ago, Joveice said:

And how do I verify it?

EDIT:

I fixed it  thanks

glad you fixed it without ant help

[Guest]

13 hours ago, vorticalbox said:

Because the hash is within tolerance levels I assume. I have never really wondered why because it just works. you really don't need to need set any options

$password = password_hash($_POST["password"], PASSWORD_DEFAULT);

 

 

Except you do need to set options if you want to use a salt value. Which you should.

[vorticalbox]

3 minutes ago, SSL said:

 

Except you do need to set options if you want to use a salt value. Which you should.

documentation suggest that you normally should let salt be generated by the function and almost never need ti manually set it.

[colonel_mortis]

The reason why the hash is different every time is that the salt is different (and randomly generated). When you use password_verify, it will hash the password using the same salt. 

It knows what the salt should be because password_hash doesn't actually just return the hashed password, it returns a string with the salt, the hash options (algorithm, cost factor etc), and the salt, so that password_verify can always generate an identical hash. 

 

You shouldn't manually generate the salt as they have done in the example code - let password_hash deal with it for you. 

[Joveice]

Yea I don't salt it manually, I let it do all of that I just dident understand how it would work since (I dident know how it knew the hash, Thanks @colonel_mortis) So I have it working right now with a random hash and the the verifing also works