0

I was reading about the new password hashing api in php 5.5, it's has hashing function password_hash() which makes providing salt optional, which means it would make salt automatically, but since the salt needs to be same for one password for it to be able to hash again for comparison, it must generate salt from the hash, or from the password itself. How does that work?

Edit: I have seen the linked question which is supposedly duplicate, but it doesn't answer the question. If the salt is generated randomly, how do we know it will be same for comparison. For comparison we need to know the salt. But it is generated randomly every time.

Achshar
  • 5,153
  • 8
  • 40
  • 70
  • But that doesn't explain the problem in my question, if the salt is generated randomly how do we know it will be the same when we compare it? For comparison we need to know the salt. – Achshar Jun 21 '13 at 16:37
  • 1
    again, check out [Do I need to store the salt with bcrypt](http://stackoverflow.com/q/277044/338665). Basically, everything that's needed is in the return from `password-hash()` (or `crypt()`)... – ircmaxell Jun 21 '13 at 16:39
  • The answer there is `The salt is *probably* incorporated into the hash (as plaintext).` (emphasis mine). It's just an educated guess. That's not an answer. – Achshar Jun 21 '13 at 16:42
  • 1
    It's not *probably*. It is. I quoted that answer, because it is absolutely correct. It was not an educated guess. Seriously, search google for yourself, there are tons of resources out there that show the salt is part of the result string that comes out of crypt (and the documentation of [`password_verify`](http://php.net/password_verify) says as much as well). – ircmaxell Jun 21 '13 at 16:47
  • Apparently so, the only reason I was skeptical was because salt is not returned in [password_get_info](http://in1.php.net/manual/en/function.password-get-info.php). – Achshar Jun 21 '13 at 16:55
  • 1
    @Achshar: Technically it's not possible to say from the hash alone if the salt was provided as an option or generated. Therefore `password_get_info()` does not return it because it would be guessing. But in the end this has nothing to do with the API, as you outline already in your question, the salt must be somewhere otherwise you couldn't verify the hash. – hakre Jun 21 '13 at 17:16

0 Answers0