Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

How can I get the salt used by Security::hash method so I can store it?

I don't see how the salt used by the hash method of the Security component can be retrieved so it can be stored.

If I understand it correctly, the salt used to hash a password is pseudo random, so I need to store it along the hashed password for future comparison. But in the documentation example the salt is never stored, at least I can't see it. Is there something going on behind the curtains?

Could someone help-me understand what is going on? Where does the salt come from? How does this work without the salt?

$login = $this->request->getPost('login');
$password = $this->request->getPost('password');

$user = Users::findFirstByLogin($login);
if ($user) {
    if ($this->security->checkHash($password, $user->password)) {
            //The password is valid
    }
}

http://docs.phalconphp.com/en/latest/reference/security.html

http://docs.phalconphp.com/en/latest/api/Phalcon%5Security.html



82.2k
Accepted
answer
edited Dec '14

Salts are automatically generated using openssl_psedo_randombytes, they're random and they're part of the generated hash.

https://github.com/phalcon/cphalcon/blob/2.0.0/phalcon/security.zep#L139-L145