I have an input field where the users enter their username and password. Do I need to hash the password that they input or is it ok to leave it and just use it in password_verify against the hashed database password. I am using password_hash to hash them with PASSWORD_BCRYPT and don't know how to compare them if I have to hash the input as well as the stored password.
0
votes
2 Answers
1
votes
No. When you use password_hash or similar functions to hash your passwords you should not hash the password before testing it with password_verify. At least as long as you don't "double hash it" which is quite useless.
The password_hash method will return a value which contains which hash it uses, the salt and the cost. So when it's passed to the verify_password method the method will know what to do with the clear text password passed as first argument.
You can read about all this at the PHP docs:
http://php.net/manual/en/function.password-verify.php
http://php.net/manual/en/function.password-hash.php
0
votes
It's not necessary, but you can do that if you're expecting users to supply passwords longer than 71 characters.
If you decide to pre-hash, don't just pass a raw binary string to password_hash()/password_verify(). You'll end up creating another weakness.
The example code for the accompanying article demonstrates Bcrypt-SHA384 in this exact setup.
