Hello list,
I want to hash and verify password using Zend\Crypt, but I'm a bit irritated by
a discrepancy in the docs and the actual code:
Docs say:
use Zend\Crypt\Password\Bcrypt;
$bcrypt = new Bcrypt();
$securePass = 'the stored bcrypt value';
$password = 'the password to check';
if ($bcrypt->verify($password, $securePass)) {
echo "The password is correct! \n";
} else {
echo "The password is NOT correct.\n";
}
* see
https://zf2.readthedocs.org/en/latest/modules/zend.crypt.password.html?highlight=crypt
Code says:
/**
* Verify if a password is correct against an hash value
*
* @param string $password
* @param string $hash
* @return boolean
*/
public function verify($password, $hash)
{
return ($hash === crypt($password, $hash));
}
So, shouldn't the verify() method use the salt to encrypt the password? The
expression would only evaluate to true ever if crypt returned the second
parameter, i.e, the salt.
Best regards,
Andreas
