I use crypt ( password , $2y$10$predefinedsalt) to generate hashes.. Is it okay to just check them with other hashes using a normal if?
$password = crypt ( password , $2y$10$predefinedsalt);
$password2 -> from database)
if(password == password2)
{
then do something
}
Advertisement
Answer
Yeah that’s pretty much how password verification works.
You store the original password hashed and on login you hash the entered password with the same options/hash and compare it to the one you’ve stored earlier
PHP recommends using hash_equals() to mitigate timing attacks. Like this:
return hash_equals($hash, crypt($password, $salt));