PHP Password Hash and Salt

Question

I know this has been asked before, but I just want to make sure what I've got is up to date and secure for obvious reasons before we go live.

I've used this method to secure passwords:

'password' => password_hash($_POST['password'], PASSWORD_DEFAULT)."\n",

This is a user input form to create a new account. My understanding is this hashes the password and uses salt serverside for extra security. Am I right in thinking this or am I missing something?

Answer 1

"Am I right in thinking this or am I missing something?"

It's not what's missing, but what is "too much".

You need to get rid of the ."\n" in this:

'password' => password_hash($_POST['password'], PASSWORD_DEFAULT)."\n",

since it is adding/embedding a hidden linebreak to the hash and will fail silently on password_verify().

You can also use trim(), which is one way of getting rid of it before it gets inserted in your database. But, it's best to just delete it altogether.

This has been stated in a user contributed note in the manual:

• http://php.net/manual/en/function.password-hash.php#121017

Be care when using the example from the documentation which concatenates a newline character \n to the end of the hash, i.e.: echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT)."\n"; People are storing the hash with the concatenated newline and consequently password_verify() will fail.