how password_verify() function actually works in PHP

Question

I am wondering about how password_verify() verifies the hash, I have reviewed the documentation and many answers in StackOverflow, but I didn't get the idea because, as I understood, this function will compare the hash with entered password after hashing it again, and use the same salt and cost and algorithm,

but the question here: if anyone can separate the salt from the hashed password, then anybody also can try to use rehash and try to match, and the salt will be useless here. Am I right, or what?

Answer 1

The salt have to be generated randomly each time the fonction is used (and it's what this function does, and not accept custom salt anymore).

For example:

<?php
$password = "nothing";
echo password_hash($password, PASSWORD_DEFAULT);
echo PHP_EOL;
echo password_hash($password, PASSWORD_DEFAULT);

Give the response :

$2y$10$mdJRjsoc1vR11SKa2JDyS.qSlxja/a0SUPuXC1NKsRLkzmayKwjku
$2y$10$H2th6dRY/i.xZzXSGxDZ1uaiwZx6s0.FM0NXcBcBQ0E2aNEHCJ57m

It's the same password with differents results.

The hashed password is stored in a database or a file. In this case, an admin system (or someone who's hacked the database) can't say if the same password is used by differents users. Another point, rainbow tables can't be used with hashed password with salt. Only brut force can be done.

Using the same salt for all is not more secure than using simple hash algorytm.