How This Will Validate Password?

In user model :

	

public function validatePassword($password)

	{

		return crypt($password,$this->password)===$this->password;

	}


	/**

	 * Generates the password hash.

	 * @param string password

	 * @return string hash

	 */

	public function hashPassword($password)

	{

		return crypt($password, $this->generateSalt());

	}

The "generateSalt" will give always random salt, if the user entering password will different than stored password …

How its working to validate user password vs stored password in DB ?

Thanks

Hi

You have to store in the first time the user password with specific salt (even this salt is random)

If you want to use random salt you have to store both hash password and this salt on specific record (user)

after of that you have to compare the given password (on login) with hash password and stored salt

The salt is stored plain with the resulting hash. Crypt detects that, thats why the saved hash is passed to it along with the password to be checked. Having an unencrypted salt in the hash is ok because it just helps to create a hash that can’t be pre-computed in rainbow tables.

The password is stored in the DB when user register with :

$newUser->password = $newUser->hashPassword($model->password);

As I understand now, I need to store the salt and use it to crypt password and match it the login form password, or I remove the salt function from all class.

is that right ?

Thanks …

Exactly!

user stored pass = hash(password + salt) —> you need salt to compares on login

so, you need hash(given password + salt) == hash(stored password + salt) therefore the salt must to be stored

Crypt returns a hash that contains the salt. You store it in one field as a hashed password. Just save the result of hashPassword().

Just for reference … I ended with this :

 

public function hashPassword($password, $name)

        {

                return crypt($password, $name);

        }

Thanks guys