0

I am using the following PHP code to hash a user's password.

$options = [
'cost' => 10,
'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
];

$hash = password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options);

Is this method safe? Is the password getting salted?

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Coder Boy
  • 9
  • 1
  • 3
    The documentation for [`password_hash()`](http://php.net/manual/en/function.password-hash.php) **specifically** says ___Do not make up your own SALT___ You wont do as good a jobs as the function does unless you are a cryptograhpic EXPERT. Also the ability to create your own SALT is deprecated, (will soon be removed) so why bother writing code that wont run soon! – RiggsFolly Jun 16 '17 at 11:02
  • *"Is this method safe? Is the password getting salted?"* - Short answer: Yes. Longer answer: Consult the duplicates the question was closed with. If you're still unsure about it, don't use it and don't get on the web. – Funk Forty Niner Jun 16 '17 at 11:11
  • Take note that in PHP 7.0.0, salting is deprecated *"**Warning** The salt option has been deprecated as of PHP 7.0.0. It is now preferred to simply use the salt that is generated by default."* as per http://php.net/manual/en/function.password-hash.php – Funk Forty Niner Jun 16 '17 at 11:13

1 Answers1

0

In most cases it is best to omit the salt parameter. Without this parameter, the function will generate a cryptographically safe salt, from the random source of the operating system.

Ref: php.net/manual/en/function.password-hash.php#111620

Mr.Throg
  • 925
  • 6
  • 21