According to (relatively) new PHP documentation:
The password_hash function uses a random salt (which we should not worry about.. O_O), so if I understand correctly the salt has to be stored somewhere, else the user won’t be able to login after registering to a website (different salt => different hash.)
The function documentation doesn’t tell anything about interaction with a DB, and since I think storing per-user data is scalable only with a DB, where the heck does that function store the random salt? A
txt file like session data?
Let’s learn by example from what everyone else is telling you:
$options = [ 'cost' => 11, 'salt' => 'abcdefghijklmnopqrstuv', ]; echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT, $options)."\n";
The bolded parts are your cost and salt, respectively embedded in the resulting hash.
You can spit this back into
password_verify and it will handle it accordingly:
print_r(password_verify('rasmuslerdorf', '$2y$11$abcdefghijklmnopqrstuu7aZVUzfW85EB4mHER81Oudv/rT.rmWm')); // true
The password_hash manual states
The used algorithm, cost and salt are returned as part of the hash.
Therefore, all information that’s needed to verify the hash is
included in it. This allows the password_verify() function to verify
the hash without needing separate storage for the salt or algorithm
Therefore the salt is already included in the hash you are saving in the db.