I am referencing this answer: https://stackoverflow.com/a/4766811/1114105
We re-hash the password, but then we don't really do anything with the hash (we use the POST-submitted plaintext password in the CheckPassword function to authenticate). Can't a hacker bypass the re-hashing part?
Here's my pseudocode underneath.
if a password/username is submitted by POST and $row['password'] is the hashed pword in sql.
$t_hasher = new PasswordHash(13, FALSE);
$hash = $t_hasher->HashPassword($_POST['password']);
$check = $t_hasher->CheckPassword($_POST['password'], $row['password']);
if($check) Great success else Wrong credentials`
Note: I found that the work factor does not make a difference in the time it takes CheckPassword to run. It only increases the time for HashPassword.
Well there are two types of attacks against passwords:
In case 1 he has already circumvented your login-form, he don't cares how much time is needed for one login on your system. But he cares how much time it takes to brute-force the password on his system(s). So the work factor just makes it harder to brute-force the password by trying every combination and hashing it with the same algorithm as your system. "re-hashing" the password to make the login-process longer won't help in this case.
In case 2 however he does care how much time is needed for trying a password on your system because he must do it a lot to get to the right login (plus he must probably guess the username if he can't find that out). The attacker must be very dumb because he will leave traces and wastes time. You can make his life more miserable by blocking his IP after a certain number of failed logins. Plus you could add a sleep
after every invalid login (a sleep does not need that much resources as a CPU intensive hashing-operation).