I want to use an Android app to send an encrypted password to a PHP file on the server that stores it. This also works so far.
At login I send the encrypted password to the server again and the PHP file should find out if the password is correct.
But if I now if (password_verify($userPassword, $hash)) { }
then the function requires the real password and not an encrypted one. How can I now compare encrypted with encrypted ?
Or do I just have to send the visible password to an SSL server and it's still secure ?