I was wondering if it was possible/wise to use password_hash twice for my users passwords on my website.
So let's say this:
$loginHash1 = password_hash($input, PASSWORD_BCRYPT)
The whole point of the password hashing API is to make it simple to implement secure hashing. Adding complexity as you are will not add any security, and it makes your code more difficult to debug. Use one
password_hash and one
PASSWORD_DEFAULT is chosen to be very strong already:
$hash = password_hash($cleartext, PASSWORD_DEFAULT)
$isCorrect = password_verify($cleartext, $hash);
If you're not happy with PHP's very strong defaults, you can look into the
cost setting. But it's really not needed. The docs say:
password_hash() uses a strong hash, generates a strong salt, and applies proper rounds automatically. password_hash() is a simple crypt() wrapper and compatible with existing password hashes. Use of password_hash() is encouraged.