I have an input field where the users enter their username and password. Do I need to hash the password that they input or is it ok to leave it and just use it in password_verify against the hashed database password. I am using password_hash to hash them with PASSWORD_BCRYPT and don't know how to compare them if I have to hash the input as well as the stored password.
2 Answers
No. When you use password_hash
or similar functions to hash your passwords you should not hash the password before testing it with password_verify
. At least as long as you don't "double hash it" which is quite useless.
The password_hash
method will return a value which contains which hash it uses, the salt and the cost. So when it's passed to the verify_password
method the method will know what to do with the clear text password passed as first argument.
You can read about all this at the PHP docs:
http://php.net/manual/en/function.password-verify.php
http://php.net/manual/en/function.password-hash.php
It's not necessary, but you can do that if you're expecting users to supply passwords longer than 71 characters.
If you decide to pre-hash, don't just pass a raw binary string to password_hash()
/password_verify()
. You'll end up creating another weakness.
The example code for the accompanying article demonstrates Bcrypt-SHA384 in this exact setup.