PHP - password_hash

Trieda

Metóda - password_hash

(PHP 5 >= 5.5.0, PHP 7)

The password_hash() is used to create secure password hashes.

The returned value contains a password hash accompanied by an information about the used hashing algorithm, so after switching to a more secure algorithm, even an old hash can be successfully verified.

Unlike the crypt() function, password_hash() only supports algorithms considered secure and generates random salt automatically. The format of the resulting hash is the same, so it can be verified using password_verify().

Algorithms

Currently supported algorithms are BCRYPT and since PHP 7 even ARGON2.

The PASSWORD_DEFAULT constant can be used to ensure that the most secure algorithm is used. Please note that this constant is designed to change in new versions of PHP as new stronger and more secure algorithms are implemented. Therefore, you should be aware that the length of the resulting hash can change. When saving the hash, you should make sure that you can store at least 60 characters (255 recommended). If you are unsure which algorithm to use, use PASSWORD_DEFAULT.

Bcrypt is used as PASSWORD_DEFAULT as of PHP 5.5.0.

Procedurálne

function password_hash (string $password, integer $algo, array $options) : string

Parametre

Názov Dátový typ Predvolená hodnota Popis

$password

Názov	Dátový typ	Popis
$password	string	The password to hash.
$algo	integer	The constant specifying the algorithm to hash the password.
$options	array	An associative array of additional settings (like salt or cost) of the used algorithm. Depends on the specific algorithm. Options for `PASSWORD_BCRYPT` `cost` (`int`): the algorithmical cost of the algorithm. Higher is more secure, but more demanding for computing resources. Default is `10`. `salt` (`string`): Manual salt settings. If not specified, the salt is generated randomly. Options for `PASSWORD_ARGON2I` `memory_cost` (`int`): The maximal memory in bytes used while computing the hash. Default is `PASSWORD_ARGON2_DEFAULT_MEMORY_COST`. `time_cost` (`int`): The maximal time in milliseconds to compute the hash. Default is `PASSWORD_ARGON2_DEFAULT_TIME_COST`. `threads` (`int`): The maximal number of threads that can be used to compute the hash. Default is `PASSWORD_ARGON2_DEFAULT_THREADS`.

string

The password to hash.

$algo

integer

The constant specifying the algorithm to hash the password.

$options

array

An associative array of additional settings (like salt or cost) of the used algorithm. Depends on the specific algorithm.

Options for `PASSWORD_BCRYPT`

cost (int): the algorithmical cost of the algorithm. Higher is more secure, but more demanding for computing resources. Default is 10.
salt (string): Manual salt settings. If not specified, the salt is generated randomly.

Options for `PASSWORD_ARGON2I`

memory_cost (int): The maximal memory in bytes used while computing the hash. Default is PASSWORD_ARGON2_DEFAULT_MEMORY_COST.
time_cost (int): The maximal time in milliseconds to compute the hash. Default is PASSWORD_ARGON2_DEFAULT_TIME_COST.
threads (int): The maximal number of threads that can be used to compute the hash. Default is PASSWORD_ARGON2_DEFAULT_THREADS.

Mávratovej hodnoty

Vracia: string

The hash of the password on success, false otherwise.

Príklady

Hashing using the default algorithm:

<?php
$hash = password_hash("veryweakpassword", PASSWORD_DEFAULT);
if (password_verify("veryweakpassword", $hash)) {
    echo "The hash for the password 'veryweakpassword' ($hash) was created and verified successfully.";
} else {
    echo "Oops, something went wrong...";
}

Hashing using Argon2:

<?php
$hash = password_hash("veryweakpassword", PASSWORD_ARGON2I);
echo "Hash: $hash \n";
echo "And it is ";
echo password_verify("veryweakpassword", $hash) ? "CORRECT!" : "INCORRECT :(";

Súvisiace manuály

function crypt (string $str, string $salt) : string
function password_verify (string $password, string $hash) : boolean

Aktivity

Najčastejšie vyhľadávané