14
votes

The function password_verify() in the new PHP password API checks if the password corresponds to the hash. The hash is generated by password_hash(), that by default uses a random salt and a cost = 10.

I always thought (although I never studied it) that you have to store the salt inside the database and then when you want to verify the password, hash it with the given salt using the same cost. How can password_verify() check the password without knowing salt and cost?

1

1 Answers

13
votes

The string returned by password_hash() contains not only the hash, but also the algorithm, cost and salt.