- Backer | 492
It makes sense, so I'm in fact not puzzled about that. What I am perplexed
about though, is that sandbox file
Passwords::hash() without salt, expecting it to return the same
result every time. And of course, it does not, so authentication
What am I missing people?
Windows 7, PHP Version 5.3.13
- Backer | 402
If you call Passwords::hash without salt, salt is generated automatically. For comparsion, you need to use Password::verify(‘password’, $hashedPassword)
To add some clarification if @petr.pavel meant this
line in particular: it generates a new hash for
(which is in plain-text at that moment) in case the old hash is outdated (e.g.
after you've increased the cost factor).
Actually, I have to apologize.
When modifying the sandbox authenticator to use Doctrine, I mistakenly used both username and password hash to look up the user entity. So I wasn't using Passwords::verify() at all.
I was comparing a newly generated hash with an old hash which couldn't work without fixing the salt. I just wasn't thinking clearly when writing the user look-up method.
Sorry guys for wasting your time.4 years ago
- Member | 492
hi, sorry i am not sure what is worse, if my english or my knowledges, can somebody explain me how the passwords works?
if i dont give the Passwords::hash function the salt then the salt is randomly generated, so every time i generate the password, so the new different hash will be generated
so how can i verify this hash? with use of function Passwords::verify? but this function trim the salt from hash and verify without it and also salt is part of hash and i can see it, is it ok? why to use the salt at all?
i can find salt in every hash??
The salt is generated randomly and then it becomes part of the password. On verify, the hashing algoritm can read the salt and verify the password. Having different hash every time for the same password is an advantage.4 years ago
It's a point. Two users with same password get different hashes. At PHP
5.5 use function
password_verify, at lower php version use Nette
functions, it is compatible.
P.S. A když angličtina není tvoje silná stránka, proč se nezeptáš česky? :)4 years ago
You're right, but I don't see a reason to use
even in 5.5 :)
password_verify is slightly faster and immune to timing
Good point. However, there could be a direct fallback inside the Password class for the verification.4 years ago
Why is it faster?4 years ago
Because it's written in C. Does not matter. Completely irrelevant for practical purposes. Nothing to worry about.4 years ago