compare passwords on register using password_hash()

Question

I'm using the password_hash function to secure the user's password on the login page. However, on the register page I ask the user to prompt his password twice, but I can't compare both hashes cause they are different even if the password is the same.

Should I compare both passwords as strings and then hash the password? or what is the best practice to do it?

Answer 1

The password_hash is used to hash a password, generating a new salt if necessary (you may pass your own salt, but this is not necessary), while the password_verify function is used to compare them (this function uses the salt stored alongside the hash in order to perform the proper comparison).

When creating the passwords, the user provides it twice on plaintext, so all you need to check is $password1 == $password2.

If you wish to verify the password obtained from the database, you need to do:

$password_hash = <some database query>
if (password_verify($password, $password_hash)) {
    login_success();
} else {
    login_failure();
}

You could compare the passwords in the register page the same way, but there's no need.

Answer 2

You do not have to hash the passwords. They are just strings and can be compared as such:

if ($_POST['password'] !== $_POST['password_verify']) {
    die('Passwords are not the same...');
}

You can also hash the real password and then use the password_verify function to make sure it is the same. I do not know why you would do that, but there may be a good reason to:

$hash   = password_hash($_POST['password'], PASSWORD_DEFAULT);
$verify = $_POST['password_verify'];
if ( ! password_verify($verify, $hash)) {
    die('Passwords are not the same...');
}