Reading this excellent answer about password hashing and wondering how to implement it:
The Wicked Flea wrote:
Generate a nonce for each user; this alone defeats the rainbow table. This is a random number that, depending on the range, expands how many resulting hashes there are.
So beside users' password store a unique token in my database?
The example code in the original post:
function hash_password($password, $nonce) {
global $site_key;
return hash_hmac('sha512', $password . $nonce, $site_key);
}
How can i verify a password with this code? Let me explain:
When user submits his password i need to generate it's hash to check for an existing database row where email address and hashed password match. How can i select this row when i know nothing about users' $nonce
? Am i missing something? Maybe i need to select user by only his e-mail address then verify the password hash later?
Btw, do you recommend this hashing method?