2

I've been reading up on the usage of the PHP Password_Hash Function it states that it automatically generates a salt and manually generating one is not advised.

With this in mind, does this mean I can execute the following code:

    $password = password_hash('mypassword', PASSWORD_DEFAULT);

creating a hashed and salted password that needs nothing further doing to it other than storing into a MySQL table column?

Improve this question

2 Answers 2

Reset to default
4

password_hash generates both the salt and the hash. It then combines them into a single string, so you don't have to store them separately, like it's usually done.

That's also why password_verify takes only two parameters: a password and a combination of salt and hash.

Generating your own salt is not advised because you might do it wrong. For example, you could create one incorrectly by generating a predictable string or making it too short. Additionally, since the password_hash function already does that, why bother? If the user changes the password then usually both the hash and the salt are regenerated.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Does this mean that the api uses the same salt for all passwords ? I thought a salt was to be stored separately to add to the password and then to generate the hashed password. How does the verify_password function know what salt to add to the password ? I am probably missing something fundamentally here.
0

Yes. You can then retrieve it and use password_verify() to check to see if a user-supplied password matches the stored hash.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.