Password Hashing and Password Verifying

Question

I hashed a password through

$hashedpassword = password_hash($Password, PASSWORD_DEFAULT);

This stores the password as a hashed value into a database. But when I try to login in through

$Password=$_POST['Password'];

$hashedpassword = password_hash($Password, PASSWORD_DEFAULT);
if(password_verify($Password, $hashedpassword))

It will always tell me that the password is correct, regardless on whether it is or not. Is there a way around this, so I can hash the password but login with the entered (non-hashed) password.

It looks like you're rehashing when you try the login, you shouldn't do that. — Jay Blanchard, May 01 '20 at 20:20
If I'm not mistaken, you're re-hashing the password each time the user logs in. — Caleb Denio, May 01 '20 at 20:20
[Here is a tutorial for how to do this](http://jayblanchard.net/proper_password_hashing_with_PHP.html) — Jay Blanchard, May 01 '20 at 20:21

score 2 · Answer 1 · answered May 01 '20 at 20:21

At some point in the past, when the account was created or when the password was last changed, you should have stored the hashed password.

You need to get the stored password hash from the database and use that with password_verify.

Currently, you are hashing the newly submitted password and verifying the submitted password against that, so of course, it always matches.

Password Hashing and Password Verifying

1 Answers1