Salting a password occurs when you add text to a password to make it longer and more complex.
For instance, "myPassWord" would be "myPassWordSomeSalt". Since this is longer, when it is encrypted, it will become a more complex result.
Then when you compare the "salted password" to a user's password, you just append "SomeSalt" to the user's input. Your condition looks like...
if(COMPARE($_POST['password'] . 'SomeSalt', $db['password'])) {...}
While this was useful at one time, this concept of salting is now built-in to passwords in PHP. You can simply do...
$hash = password_hash($password, PASSWORD_DEFAULT);
if(password_verify($password, $hash) {
// password is valid!
}
This saves you time in coding, and also means that a more reliable, mathematically-based password salt is generated and used.
No comments:
Post a Comment