Retrieve password after hashing with random salt BCript

Question

I cant find anywhere how to validate password after its been hashed with random salt my code to hash password:

    public function hashPassword($password){
        $options = [
            'cost' => 11,
            'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
        ];
        return password_hash($password, PASSWORD_BCRYPT, $options);
    }

And code to retrieve:

    public function validatePassword($password){
        return password_verify($this->password, self::model()->password);
    }

But it doesnt seem to work, maybe anyone can let me know why?

Answer 1

You're not actually using the $password parameter in your validatePassword function. Note: $password should be the plain text password entered and the second parameter should contain the hashed version you previously stored. Try this:

public function validatePassword($password){
    return password_verify($password, self::model()->password);
}

Also, it's best to not handle salting yourself. Just use the PASSWORD_DEFAULT option and do not salt. PHP will handle it. You can use password_needs_rehash() to check if you need to rehash the password if a PHP version upgrade changes the default.

Answer 2

Hash it again exactly the same way and compare the 2 strings. This is the way most passwords are compared.