How are salts generated and validated in Phalcon

Question

How are salts generated and validated in Phalcon

Martyn Bissett Dec '14

Created Dec '14	Last Reply Dec '14	Replies 2	Views 670	Votes 0

Martyn Bissett 8.3k

Dec '14

I'm reading the docs about generating passwords and it mentions that the salt is being generated. I don't see anything in the code to reflect this. Is the salt part of the password string (so therefor, I don't require a salt column?)

*"The salt is generated using pseudo-random bytes with the PHP’s function openssl_random_pseudo_bytes so is required to have the openssl extension loaded." https://docs.phalcon.io/en/latest/reference/security.html

Max Galbusera · Answer 1 · 2014-12-09T08:36:01-07:00

The salt is generated by phalcon and is stored alongside the crypted password in the hashed string that phalcon returns.

So yes, there's no need for a salt column :)

The behavior is pretty much the same as php's password_hash

Max Galbusera · Answer 2 · 2014-12-12T05:03:33-07:00

The initial part of the hashed string starts (usually) with $2a$ and indicates the algoright used. The salt should be undistinguable from the crypted password.