current community

your communities

more stack exchange communities

Stack Exchange
tour help
careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite

I've been reading up on the usage of the PHP Password_Hash Function it states that it automatically generates a salt and manually generating one is not advised.

With this in mind, does this mean I can execute the following code:

    $password = password_hash('mypassword', PASSWORD_DEFAULT);

creating a hashed and salted password that needs nothing further doing to it other than storing into a MySQL table column?

share|improve this question

migrated from programmers.stackexchange.com Jun 30 at 15:48

This question came from our site for professional programmers interested in conceptual questions about software development.

2 Answers 2

up vote 2 down vote

password_hash generates both the salt and the hash. It then combines them into a single string, so you don't have to store them separately, like it's usually done.

That's also why password_verify takes only two parameters: a password and a combination of salt and hash.

Generating your own salt is not advised because you might do it wrong. For example, you could create one incorrectly by generating a predictable string or making it too short. Additionally, since the password_hash function already does that, why bother? If the user changes the password then usually both the hash and the salt are regenerated.

share|improve this answer
up vote 0 down vote

Yes. You can then retrieve it and use password_verify() to check to see if a user-supplied password matches the stored hash.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.