Why Does Password_hash Generate Different Hashes for the Same Input?

Password_hash Generating Different Hashes for the Same Input

In a login system, it's common to hash passwords for security. However, some users may encounter an issue where password_hash yields a different hash value every time for the same password. This can prevent successful verification using password_verify().

Understanding the Behavior of Password_hash

Password_hash is designed to generate a unique salt for each hashing operation. This salt is appended to the password before hashing, making it virtually impossible to predict the hash value. Even the same password will produce a different hash each time due to the randomized salt.

Resolving the Verification Issue

To verify the password, you need to provide the original unhashed password as the first argument to password_verify(). The second argument should be the hashed password stored in the database.

Example Code for Verification

$password4 = 'PlaintextPassword';
$dbpassword = 'HashedPasswordFromDatabase';

if (password_verify($password4, $dbpassword)) {
    // Password verified
} else {
    // Password does not match
}

Additional Security Measures

If desired, you can increase the security of password_hash by increasing the cost factor. The default cost is 10, but you can set a higher value like 15 for added protection.

$password = password_hash($password4, PASSWORD_DEFAULT, ['cost' => 15]);

The above is the detailed content of Why Does Password_hash Generate Different Hashes for the Same Input?. For more information, please follow other related articles on the PHP Chinese website!