We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

How are salts generated and validated in Phalcon

I'm reading the docs about generating passwords and it mentions that the salt is being generated. I don't see anything in the code to reflect this. Is the salt part of the password string (so therefor, I don't require a salt column?)

*"The salt is generated using pseudo-random bytes with the PHP’s function openssl_random_pseudo_bytes so is required to have the openssl extension loaded." https://docs.phalcon.io/en/latest/reference/security.html

edited Dec '14

The salt is generated by phalcon and is stored alongside the crypted password in the hashed string that phalcon returns.

So yes, there's no need for a salt column :)

The behavior is pretty much the same as php's password_hash

The initial part of the hashed string starts (usually) with $2a$ and indicates the algoright used. The salt should be undistinguable from the crypted password.