How are salts generated and validated in Phalcon

I'm reading the docs about generating passwords and it mentions that the salt is being generated. I don't see anything in the code to reflect this. Is the salt part of the password string (so therefor, I don't require a salt column?)

*"The salt is generated using pseudo-random bytes with the PHP’s function opensslrandompseudo_bytes so is required to have the openssl extension loaded." http://docs.phalconphp.com/en/latest/reference/security.html

edited Dec '14

The salt is generated by phalcon and is stored alongside the crypted password in the hashed string that phalcon returns.

So yes, there's no need for a salt column :)

The behavior is pretty much the same as php's password_hash



44.6k

Ok, thanks Max. That question has been on my list for a while.

The salt is generated by phalcon and is stored alongside the crypted password in the hashed string that phalcon returns.

I see that 4 users on my dev box all have the same salt in the password field. How is the salt generated and changed? Is it runtime path based or something like that?

The initial part of the hashed string starts (usually) with $2a$ and indicates the algoright used. The salt should be undistinguable from the crypted password.