How to password_verify verify passwords without knowledge of salt and cost?

Question

How to password_verify verify passwords without knowledge of salt and cost?

The password_verify () function in the new PHP password API checks to see if the password matches the hash. The hash is generated by password_hash () , which by default uses random salt and cost = 10 .

I always thought (although I never studied it) that you need to store the salt inside the database, and then when you want to verify the password, hash it with the given salt, using the same cost. How to password_verify() check the password without knowing the salt and cost?

+6

php passwords hash

Marco sulla Jun 01 '13 at 17:14

source share

1 answer

Niels B. · Accepted Answer · 2013-06-01T17:17:26+0000

The string returned by password_hash() contains not only the hash, but also the algorithm, cost, and salt.

How to password_verify verify passwords without knowledge of salt and cost?

More articles: