password_hash returns different value every time

22
votes

I'm making a login system, and I want to hash the passwords to make them more secure, but it returns a different hash every time, and can't even be verified using password_verify(), here is my code:

$password = password_hash($password4, PASSWORD_DEFAULT);

and here is my code for verifying:

if(password_verify($password4, $dbpassword))
1
phphashpasswordsphp-password-hash
You shouldn't be using password_hash() that way. - Jay Blanchard
That assertion is incorrect @ItzBenteThePig - additional hashing makes for problems, rather than solutions. Think about what you're trying to protect. password_hash(), used correctly, provides random salts and long hashes that would take hundreds of years to crack. - Jay Blanchard
One other note: Don't limit passwords. Passphrases are the key to higher security. - Jay Blanchard
@JayBlanchard For me those links just looks as a guide to creating a secure password, not hashing them. - ItzBenteThePig
I rolled back to your original question as the stealth edit makes it seem that your function is not working properly. The additional function call is what was getting you into a bind, editing that out changes the nature of the question. - Jay Blanchard

1 Answers

40
votes

So let's take it one part at a time

but it returns a different hash every time

That's the idea. password_hash is designed to generate a random salt every time. This means you have to break each hash individually instead of guessing one salt used for everything and having a huge leg up.

There's no need to MD5 or do any other hashing. If you want to raise the security of password_hash you pass a higher cost (default cost is 10)

$password = password_hash($password4, PASSWORD_DEFAULT, ['cost' => 15]);

As to verify

if(password_verify($password4, $dbpassword))

So $password4 should be your unhashed password and $dbpassword should be the hash you've stored in your database