Whats the proper way to use password_verify with PDO?

Question

I can\'t seem to get password_verify to work w/in my php PDO code. My pass field is stored as varchar(255). I\'ve been reading similar questions, but from what I can tell I hav

Answer 1

The arguments for password_verify() are (1) the unhashed password you want to check and (2) the hashed password you are using as a reference. You are hashing the first argument before comparing:

$pass = trim($_POST['pass'];
$passH = password_hash($pass, PASSWORD_DEFAULT);
// ...
if(count($check_user)>0 && password_verify($passH, $check_user['pass'])) {

You should be doing password_verify($pass /** the unhashed one */, $check_user['pass'])

Also, trimming the password is a bad idea. What if the password actually includes whitespace (which you should allow it to do)?

Answer 2

RTM? http://php.net/password_verify

boolean password_verify ( string $password , string $hash )

You pass in the PLAINTEXT password for $password. You don't hash it yourself. That'll just generate a NEW hash with a DIFFERENT salt, making comparisons both pointless and impossible.

password_verify will extract the proper salt from $hash, use that to hash $password itself, then compare the hash strings.

e.g. password_verify is basically just this:

function password_verify($pw, $hash) {
    $salt = get_salt_from($hash);
    $temp = password_hash($pw, $salt);

    return ($temp == $hash);
}