echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT); // why does it give different result every single time
E poi, password_verify () conosce TUTTA quella corrispondenza hash "rasmuslerdorf", per me è come per magia anche il doc ha dichiarato chiaramente:
Note that password_hash() returns the algorithm, cost and salt as part of the returned hash. Therefore, all information that's needed to verify the hash is included in it. This allows the verify function to verify the hash without needing separate storage for the salt or algorithm information.
This function is safe against timing attacks.
echo password_verify ( 'rasmuslerdorf' , '$2y$10$EMawXU7qNS4GzU2Do8bByeb7sSQZxecvmZ6mBrToxsOaY7RMAIGua' ); //=>true
echo password_verify ( 'rasmuslerdorf' , '$2y$10$0vMA2k7LxTBstI/J7clkkuZZ/XtuS1fklVuoM6sl4Fc/aj1avQa5u' ); //=>true
echo password_verify ( 'rasmuslerdorf' , '$2y$10$iuE2EzHMNONAWFKh/4Wyl.dcBxgFaNzAh32va0/gyE4ScqnNr/Uc.' ); //=>true
Che sta succedendo? In che modo password_verify () conosce una fasulla corrispondenza delle stringhe 'rasmuslerdorf' ma gli hacker no?