How should i check hashed passwords

I use crypt ( password , $2y$10$predefinedsalt) to generate hashes.. Is it okay to just check them with other hashes using a normal if?

$password = crypt ( password , $2y$10$predefinedsalt);
$password2 -> from database)
if(password == password2)
{
     then do something
}

$password = crypt ( password , $2y$10$predefinedsalt);

$password2 -> from database)

if(password == password2)

{

     then do something

}

​

Answer

Yeah that’s pretty much how password verification works.

You store the original password hashed and on login you hash the entered password with the same options/hash and compare it to the one you’ve stored earlier

PHP recommends using hash_equals() to mitigate timing attacks. Like this:

return hash_equals($hash, crypt($password, $salt));

return hash_equals($hash, crypt($password, $salt));

​