I am trying to implement a password hashing/salting algorithm from crackstation.net, but I am unsure how implement it.
Storing the password upon user registration seems to be as simple as passing the password into create_hash().
$password = create_hash($_POST['Password'];
I'm not following how to validate upon user login. validate_password($password, $good_hash) returns either true or false, and takes $password as parameter, so it seems like a no brainer except for the second parameter $good_hash. Where does this param come from?
It is my understanding that password is turned into a hash value every time its used, and that the hash value is what is stored and compared. So why would I have both the $password and $good_hash values?
Quick overview of the functions:
function create_hash($password){
calls pbkdf2()
}
function validate_password($password, $good_hash){
calls pbkdf2()
calls slow_equals()
}
function slow_equals($a, $b){
}
function pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output = false){
}
Of course a different, better method for this would also be just as helpful.
Thank you