Just another programmer Just another programmer - 3 years ago 113
SQL Question

Does user input need to be hashed before being used in password_verify?

I have an input field where the users enter their username and password. Do I need to hash the password that they input or is it ok to leave it and just use it in password_verify against the hashed database password. I am using password_hash to hash them with PASSWORD_BCRYPT and don't know how to compare them if I have to hash the input as well as the stored password.

Answer Source

No. When you use password_hash or similar functions to hash your passwords you should not hash the password before testing it with password_verify. At least as long as you don't "double hash it" which is quite useless.

The password_hash method will return a value which contains which hash it uses, the salt and the cost. So when it's passed to the verify_password method the method will know what to do with the clear text password passed as first argument.

You can read about all this at the PHP docs:

http://php.net/manual/en/function.password-verify.php
http://php.net/manual/en/function.password-hash.php

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download