Reputation: 8965
correct use of password_hash
I am trying to figure out the correct use of password_hash I have the following script below
<?php
$password = "test3";
$hashAndSalt = password_hash($password, PASSWORD_BCRYPT);
echo $hashAndSalt;
?>
as far as I know this is supposed to create a salt too?
When ever I run the script the beginning of the hash starts with "$2y$10$" the remainder always changes on each run.
$2y$10$.YHHLeFYcQoE6c//vl587uIFTOljmpmuDnSA0w0dxo1Rrpvi5zM9m <- run one
$2y$10$b6n3chpTQk1X7c0OdPp0ceZmw3GvZFsLx9FHq9RnYaJgbld915oYG <- run two
$2y$10$AGffB7R1rTko8UmS1m6wT.ybG78.CkwrxqoRteNMeRPXexpSJW5iO <- run three
Is it supposed to work like this? is this the correct way of storing password in database?
Upvotes: 1
Views: 1374
Answers (1)
Reputation: 64657
$2y$10$.YHHLeFYcQoE6c//vl587uIFTOljmpmuDnSA0w0dxo1Rrpvi5zM9m
| | | | |
| | | | |
| | | |---------------------------------Hashed Password
| | |----------------------Salt
| |----Cost
----Algorithm
The hash contains all the information necessary to see if the password matches the hash for a given string. You know the algorithm it was hashed with, the salt, and what it hashed to. So all you have to do is supply a string, pass it through the same algorithm with the same salt and cost, and it will either equal the hash or not.
So to answer your question, yes it is supposed to work like that. The salt changes every time, which means the hashed password changes every time, but you can always check if a password hashes to the same hashed password, because the hash contains the salt.
Upvotes: 3
Related Questions
- Why is PHP's hashing Algo not working right?
- Using PHP 5.5's password_hash and password_verify function
- Issues implementing password_hash in PHP
- Questions regarding PHP's password_hash()
- PHP: Password Hashing
- PHP hash_password function
- password_hash() PASSWORD_DEFAULT PHP 5.5
- password_hash function in php 5.5
- PHP Password_Hash Function
- Password hash in PHP: Am I Doing This Right?