-3

I have the code

 echo password_hash( 'i=badatphp', PASSWORD_BCRYPT, [ 'cost' => 10 ] );

Every time I run the script the password changes

I'm using PHP 7, and in PHP 5 I used to be able to set a salt, but now I can't

How am I supposed to overcome not knowing what the salt is?

Lee
  • 131
  • 3
  • 9
  • 1
    it's not the password that changes, it's the hash. Plus, I believe that version 7 has dropped the salting option. – Funk Forty Niner Jun 11 '16 at 15:33
  • 2
    http://php.net/manual/en/function.password-hash.php ***Warning** The salt option has been deprecated as of PHP 7.0.0. It is now preferred to simply use the salt that is generated by default.* Call this an answer to your question, which I wouldn't be surprised if some hack goes and uses it as an actual answer below. *sigh* – Funk Forty Niner Jun 11 '16 at 15:39
  • 2
    You should use the random salts provided and verify passwords with password_verify() which is able to handle the random salts. – Jay Blanchard Jun 11 '16 at 15:40
  • 1
    @JayBlanchard See, I knew it. Answers given. FFS. I said I wouldn't be surprised *lol* – Funk Forty Niner Jun 11 '16 at 15:45
  • *"You're all quick to jump down my throat"* - Huh?! *"So when I save the password in a cookie"* - Oh, that's not good, you sure you want to do that? Ask the ones who gave you answers below. – Funk Forty Niner Jun 11 '16 at 15:52

2 Answers2

4

The reason you may see a new hash each time your run password_hash this way is because it will automatically generate a new random salt, which will result in a different hash even if the input password is the same.

While, as of PHP 7 the salt option is deprecated, it is definitely not removed from password_hash. Though, you should note that the reason it is deprecated is because it is planned for removal (probably in the next minor release of PHP). The reason it is planned for removal is because it discourages people from using inferior means of generating their salt. Since the function can generate good random salts for you automatically there's really very little reason to want to provide your own.

In any case, password_hash is just a thin wrapper over crypt, which exposes more of the primitives of the underlying API. So if you wanted to provide your own salt through crypt you still could. Though I highly discourage it when PHP can just do it for you with password_hash and in a manner which is not likely to result in error.

Sherif
  • 11,786
  • 3
  • 32
  • 57
  • 2
    @LeeJeffries - Passwords should not be stored in a cookie. Either use a session and store the session id in the cookie, or use an authentication service and store the token, in no case store the password directly. – martinstoeckli Jun 13 '16 at 08:34
2

The used algorithm, cost and salt are returned as part of the hash. Therefore, all information that's needed to verify the hash is included in it. This allows the password_verify() function to verify the hash without needing separate storage for the salt or algorithm information. http://php.net/manual/en/function.password-hash.php

As the docs state, the salt is generated and stored in the returned hash so there is no need to pass a salt to the function or to store it separately.

See this answer for a simple example of how to use password_hash.

Community
  • 1
  • 1
user3389196
  • 161
  • 1
  • 6