Professional Documents
Culture Documents
Password - Hash: Done by
Password - Hash: Done by
Searching
Done by
Abd Allah Abo Salah
Ammar ALfalahi
Dr
Ansam
password_hash — Creates a password hash
Description
password_hash() creates a new password hash using a strong one-way hashing algorithm.
PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that
this constant is designed to change over time as new and stronger algorithms are
added to PHP. For that reason, the length of the result from using this identifier can
change over time. Therefore, it is recommended to store the result in a database
column that can expand beyond 60 characters (255 characters would be a good
choice).
PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will
produce a standard crypt() compatible hash using the "$2y$" identifier. The result will
always be a 60 character string, or false on failure.
PASSWORD_ARGON2I - Use the Argon2i hashing algorithm to create the hash. This
algorithm is only available if PHP has been compiled with Argon2 support.
PASSWORD_ARGON2ID - Use the Argon2id hashing algorithm to create the hash. This
algorithm is only available if PHP has been compiled with Argon2 support.
salt (string) - to manually provide a salt to use when hashing the password. Note that
this will override and prevent a salt from being automatically generated.
Warning
The salt option is deprecated. It is now preferred to simply use the salt that is
generated by default. As of PHP 8.0.0, an explicitly given salt is ignored.
cost (int) - which denotes the algorithmic cost that should be used. Examples of these
values can be found on the crypt () page.
If omitted, a default value of 10 will be used. This is a good baseline cost, but you
may want to consider increasing it depending on your hardware.
memory_cost (int) - Maximum memory (in kibibytes) that may be used to compute
the Argon2 hash. Defaults to PASSWORD_ARGON2_DEFAULT_MEMORY_COST.
time_cost (int) - Maximum amount of time it may take to compute the Argon2 hash.
Defaults to PASSWORD_ARGON2_DEFAULT_TIME_COST.
threads (int) - Number of threads to use for computing the Argon2 hash. Defaults to
PASSWORD_ARGON2_DEFAULT_THREADS.
Warning
Only available when PHP uses libargon2, not with libsodium implementation.
Parameters
password
Caution
Using the PASSWORD_BCRYPT as the algorithm, will result in the password parameter
being truncated to a maximum length of 72 bytes.
algo
A password algorithm constant denoting the algorithm to use when hashing the
password.
options
An associative array containing options. See the password algorithm constants for
documentation on the supported options for each algorithm.
If omitted, a random salt will be created and the default cost will be used.
Return Values
The used algorithm, cost and salt are returned as part of the hash. Therefore, all information
that's needed to verify the hash is included in it. This allows the password_verify() function
to verify the hash without needing separate storage for the salt or algorithm information.
Examples
<?php
/**
* We just want to hash our password using the current DEFAULT algorithm.
* This is presently BCRYPT, and will produce a 60 character result.
*
* Beware that DEFAULT may change over time, so you would want to prepare
* By allowing your storage to expand past 60 characters (255 would be good
)
*/
echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT);
?>
$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a
<?php
/**
* In this case, we want to increase the default cost for BCRYPT to 12.
* Note that we also switched to BCRYPT, which will always be 60 characters
.
*/
$options = [
'cost' => 12,
];
echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options);
?>
$2y$12$QjSH496pcT5CEbzjD/vtVeH03tfHKFy36d4J0Ltp3lRtee9HDxY3K
<?php
/**
* This code will benchmark your server to determine how high of a cost you
can
* afford. You want to set the highest cost that you can without slowing do
wn
* you server too much. 8-10 is a good baseline, and more is good if your s
ervers
* are fast enough. The code below aims for ≤ 50 milliseconds stretching ti
me,
* which is a good baseline for systems handling interactive logins.
*/
$timeTarget = 0.05; // 50 milliseconds
$cost = 8;
do {
$cost++;
$start = microtime(true);
password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]);
$end = microtime(true);
} while (($end - $start) < $timeTarget);
echo "Appropriate Cost Found: " . $cost;
?>
<?php
echo 'Argon2i hash: ' . password_hash('rasmuslerdorf', PASSWORD_ARGON2I);
?>
Argon2i hash:
$argon2i$v=19$m=1024,t=2,p=2$YzJBSzV4TUhkMzc3d3laeg$zqU/1IN0/AogfP4cmSJI1vc
8lpXRW9/S0sYY2i2jHT0