2

I have a technical question regarding password_hash() & password_verify().

If I run a sample password through password_hash() many times, I get a different result each time. I guess that’s a Good Thing.

The question is how does password_verify() actually verify the candidate password if the actual hash keeps changing?

I ask this question here because it is PHP related.

For those who think this question is a duplicate:

This question is not a duplicated of the linked questions. I am aware that the value changes, and that password_verify_ works with that.

It is a question of how that happens.

Improve this question
3
  • @Machavity: this is not a duplicate. Commented Jun 20, 2017 at 3:26
  • It is a duplicate. There's a ton of answers out there on this stackoverflow.com/questions/25167132/… Commented Jun 20, 2017 at 3:42
  • @Machavity No, the linked question doesn’t explain how password_verify works its magic. Neither do the other linked questions. I did read them. Commented Jun 20, 2017 at 4:27

1 Answer 1

Reset to default
1

As noted on the manual page for the password_hash() function,

The used algorithm, cost and salt are returned as part of the hash. Therefore, all information that's needed to verify the hash is included in it. This allows the password_verify() function to verify the hash without needing separate storage for the salt or algorithm information.

When the same inputs - algorithm, cost, salt and password - are fed into the password calculation, the same output will be generated. Thus, the password_verify() takes the algorithm, cost and salt from the original calculation, generates a new hash using the password being tested, and compares the previous result with the newly generated one. If they match, the verification succeeds, otherwise it's an error.

Improve this answer
Sign up to request clarification or add additional context in comments.

11 Comments

A better example would be php.net/manual/en/faq.passwords.php. Then include the breakdown, php.net/manual/en/images/….
@chris85 the OP asked how password_verify() can verify the candidate password, not for an example.
? Yea... this is how password_hash stores the password and because of the format how password_verify can compare it... (which is what your quote says).
This is the correct answer, I just want to point out that the salt is the part which is different for multiple subsequent hashes of the same value, resulting in the uniqueness for each hash. The algorithm and cost don't usually change. In fact, 7.2 will be the first time that the algorithm changes for password_hash using PASSWORD_DEFAULT
@FKEinternet I have already read the link, and I understand that it’s self-contained. I have amended the question to how does it verify? I was wondering how it does its job.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.