Reputation: 3440
How is the randomly generated password salt in PHP 5.5's new password_hash function even useful?
I was just reading about the new features in PHP 5.5 and it includes new password hashing functionality (http://www.php.net/manual/en/function.password-hash.php). Now if you look at the description, the default operation of it is to randomly generate a password salt if you don't specify one.
But I don't see how that is useful. Because if you are hashing the password for safe storage and the salt is random. Then when you run the string the user enters for the password through, the resulting hash will be different each time if the salt is different each time. Therefore you would be unable to compare, successfully, a valid password entered versus a stored copy of the password hash.
So how can this be useful at all?
Upvotes: 3
Views: 620
Answers (1)
Reputation: 7025
The salt is included in the hash value.
<?php
$hash = password_hash("password", PASSWORD_DEFAULT, ['salt' => 'saltsaltsaltsaltsaltsa']);
print_r(password_get_info($hash));
echo $hash;
Outputs:
Array
(
[algo] => 1
[algoName] => bcrypt
[options] => Array
(
[cost] => 10
)
)
$2y$10$saltsaltsaltsaltsaltsOPRDjePxJkNp7mjBEve63IqKPFT7ehNG
As you can see, the hashing function stores information about the hashing process in the hash itself. The password_verify() function then parses the hash and validates the password based on this information.
Upvotes: 8
Related Questions
- password_hash: any advantages of automatically generated salt over manual?
- How does password_hash really work?
- PHP's password_hash(): public one-time salt vs. private fixed salt
- Are there any reasons not to use PHP's default password hashing library?
- Is PHP password salt really necessary?
- Does a salt increase security with PHP 5.5's hashing function
- Questions regarding PHP's password_hash()
- password_hash function in php 5.5
- Why string hashed with its hash as salt returns the hash?
- How does PHP's password_hash generate the salt?