We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

How can I get the salt used by Security::hash method so I can store it?

I don't see how the salt used by the hash method of the Security component can be retrieved so it can be stored.

If I understand it correctly, the salt used to hash a password is pseudo random, so I need to store it along the hashed password for future comparison. But in the documentation example the salt is never stored, at least I can't see it. Is there something going on behind the curtains?

Could someone help-me understand what is going on? Where does the salt come from? How does this work without the salt?

$login = $this->request->getPost('login');
$password = $this->request->getPost('password');

$user = Users::findFirstByLogin($login);
if ($user) {
    if ($this->security->checkHash($password, $user->password)) {
            //The password is valid
    }
}

https://docs.phalcon.io/en/latest/reference/security.html

https://docs.phalcon.io/en/latest/api/Phalcon_Security.html



98.9k
Accepted
answer
edited Dec '14

Salts are automatically generated using openssl_psedo_randombytes, they're random and they're part of the generated hash.

https://github.com/phalcon/cphalcon/blob/2.0.0/phalcon/security.zep#L139-L145