I was wondering if it was possible/wise to use password_hash twice for my users passwords on my website.
So let's say this:
User registers on my site, they enter a password, we will call this
input
.During account creation, their password is
$firstHash = password_hash($input, PASSWORD_BCRYPT)
(For example sake, lets say this hashes to "thisFirstHash"Once their password is hashed, it is hashed again
$firstHash = password_hash($firstHash, PASSWORD_BCRYPT)
(For example sake, lets say this hashes to "thisSecondHash")This second hash is what is stored to the database, so now when they log in, the server has to decrypt a hashed hash.
When the user logs in, they enter their password again, we will again call this
input
the server then has to reencrypt the input to compare with the saved hash
$loginHash1 = password_hash($input, PASSWORD_BCRYPT)
The server compares the new
loginHash1
variable with the saved hashpassword_verify($loginHash1,"thisSecondHash")
If the first hash matches, compare the second hash
password_verify($input,"thisFirstHash")
I couldn't quite get this to work properly in my small testing environment, I suspect it has something to do with the randomized salt being different during the login phase when rehashing the input.
So my questions are,
- Is it possible to do this?
- Is it beneficial to do this?