0

I am wondering about how password_verify() verifies the hash, I have reviewed the documentation and many answers in StackOverflow, but I didn't get the idea because, as I understood, this function will compare the hash with entered password after hashing it again, and use the same salt and cost and algorithm,

but the question here: if anyone can separate the salt from the hashed password, then anybody also can try to use rehash and try to match, and the salt will be useless here. Am I right, or what?

Osama Mohammed
  • 2,433
  • 13
  • 29
  • 61
  • 1
    Password hashing with salts only really helps guard against password cracking by using rainbow tables which are not so useful now computers are so much faster than they used to be. Reverse hashing a strong password hashed even with md5, which everyone says is insecure, is not feasible in a reasonable time with current technology. – Simon Goater Dec 05 '22 at 11:14
  • 1
    @SimonGoater The protection provided by salt and the optimisation provided by rainbow tables aren't directly connected. A salt just ensures that two users with the same password don't have the same hash, and therefore every hash has to be attacked separately; a rainbow table is just an optimised way of storing a set of pre-computed hashes. So salts defeat rainbow tables *and any other reuse of hashes*, such as checking the same hash against all entries in a stolen database. – IMSoP Dec 05 '22 at 12:46
  • 1
    It's a valid point that if you having a list of passwords you're trying to crack, then it's easier to find results by brute force if they don't use a salt or all use the same salt than if each password is hashed with a unique salt. It's still much more secure however, to ensure the password is unguessable. It's the security of the password that people should care most about. In my opinion, salts give little more than an illusion of additional security. – Simon Goater Dec 05 '22 at 13:11
  • 1
    Salt is not really a secret. It's there just to avoid having the same hash for every duplicate password. – Álvaro González Dec 05 '22 at 13:12
  • 1
    @SimonGoater I don't think it's an illusion, it's just an *additional* measure that's pretty easy for a system's designer to implement, and coupled with an appropriately resource-intensive hash algorithm makes some attacks much less likely to succeed. It doesn't replace the need for passwords to be hard to guess (which is *not* the same as a naive estimate of "entropy"), it supplements it. – IMSoP Dec 05 '22 at 13:49

1 Answers1

1

The salt have to be generated randomly each time the fonction is used (and it's what this function does, and not accept custom salt anymore).

For example:

<?php
$password = "nothing";
echo password_hash($password, PASSWORD_DEFAULT);
echo PHP_EOL;
echo password_hash($password, PASSWORD_DEFAULT);

Give the response :

$2y$10$mdJRjsoc1vR11SKa2JDyS.qSlxja/a0SUPuXC1NKsRLkzmayKwjku
$2y$10$H2th6dRY/i.xZzXSGxDZ1uaiwZx6s0.FM0NXcBcBQ0E2aNEHCJ57m

It's the same password with differents results.

The hashed password is stored in a database or a file. In this case, an admin system (or someone who's hacked the database) can't say if the same password is used by differents users. Another point, rainbow tables can't be used with hashed password with salt. Only brut force can be done.

Using the same salt for all is not more secure than using simple hash algorytm.

svgta
  • 343
  • 1
  • 6