|
|
|
|
|
|
by duskwuff
505 days ago
|
|
|
PHP's password_* functions make it difficult to misuse in this particular way. There's no function in that API which hashes a password with a controllable salt and returns the result; there's only password_hash(), which always uses a random salt, and password_verify(), which rehashes a password internally and returns a bool for whether it matched. (It's still got the truncates-at-72 problem with PASSWORD_BCRYPT, though.) |
|
|