PASSWORD_HASH

Searching

Done by
Abd Allah Abo Salah
Ammar ALfalahi

Dr
Ansam
password_hash — Creates a password hash

Description

password_hash(string $password, string|int|null $algo, array $options = []): string

password_hash() creates a new password hash using a strong one-way hashing algorithm.

The following algorithms are currently supported:

 PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that
this constant is designed to change over time as new and stronger algorithms are
added to PHP. For that reason, the length of the result from using this identifier can
change over time. Therefore, it is recommended to store the result in a database
column that can expand beyond 60 characters (255 characters would be a good
choice).
 PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will
produce a standard crypt() compatible hash using the "$2y$" identifier. The result will
always be a 60 character string, or false on failure.
 PASSWORD_ARGON2I - Use the Argon2i hashing algorithm to create the hash. This
algorithm is only available if PHP has been compiled with Argon2 support.
 PASSWORD_ARGON2ID - Use the Argon2id hashing algorithm to create the hash. This
algorithm is only available if PHP has been compiled with Argon2 support.

Supported options for PASSWORD_BCRYPT:

 salt (string) - to manually provide a salt to use when hashing the password. Note that
this will override and prevent a salt from being automatically generated.

If omitted, a random salt will be generated by password_hash() for each password

hashed. This is the intended mode of operation.

Warning

The salt option is deprecated. It is now preferred to simply use the salt that is
generated by default. As of PHP 8.0.0, an explicitly given salt is ignored.

 cost (int) - which denotes the algorithmic cost that should be used. Examples of these
values can be found on the crypt () page.

If omitted, a default value of 10 will be used. This is a good baseline cost, but you
may want to consider increasing it depending on your hardware.

Supported options for PASSWORD_ARGON2I and PASSWORD_ARGON2ID:

 memory_cost (int) - Maximum memory (in kibibytes) that may be used to compute
the Argon2 hash. Defaults to PASSWORD_ARGON2_DEFAULT_MEMORY_COST.
  time_cost (int) - Maximum amount of time it may take to compute the Argon2 hash.
Defaults to PASSWORD_ARGON2_DEFAULT_TIME_COST.
 threads (int) - Number of threads to use for computing the Argon2 hash. Defaults to
PASSWORD_ARGON2_DEFAULT_THREADS.

Warning

Only available when PHP uses libargon2, not with libsodium implementation.

Parameters
password

The user's password.

Caution

Using the PASSWORD_BCRYPT as the algorithm, will result in the password parameter
being truncated to a maximum length of 72 bytes.

algo

A password algorithm constant denoting the algorithm to use when hashing the
password.

options

An associative array containing options. See the password algorithm constants for
documentation on the supported options for each algorithm.

If omitted, a random salt will be created and the default cost will be used.

Return Values

Returns the hashed password.

The used algorithm, cost and salt are returned as part of the hash. Therefore, all information
that's needed to verify the hash is included in it. This allows the password_verify() function
to verify the hash without needing separate storage for the salt or algorithm information.

Examples

Example #1 password_hash() example

<?php
/**
 * We just want to hash our password using the current DEFAULT algorithm.
 * This is presently BCRYPT, and will produce a 60 character result.
 *
 * Beware that DEFAULT may change over time, so you would want to prepare
 * By allowing your storage to expand past 60 characters (255 would be good
)
 */
echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT);
?>

The above example will output something similar to:

$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a

Example #2 password_hash() example setting cost manually

<?php
/**
 * In this case, we want to increase the default cost for BCRYPT to 12.
 * Note that we also switched to BCRYPT, which will always be 60 characters
.
 */
$options = [
    'cost' => 12,
];
echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options);
?>

The above example will output something similar to:

$2y$12$QjSH496pcT5CEbzjD/vtVeH03tfHKFy36d4J0Ltp3lRtee9HDxY3K

Example #3 password_hash() example finding a good cost

<?php
/**
 * This code will benchmark your server to determine how high of a cost you 
can
 * afford. You want to set the highest cost that you can without slowing do
wn
 * you server too much. 8-10 is a good baseline, and more is good if your s
ervers
 * are fast enough. The code below aims for ≤ 50 milliseconds stretching ti
me,
 * which is a good baseline for systems handling interactive logins.
 */
$timeTarget = 0.05; // 50 milliseconds 

$cost = 8;
do {
    $cost++;
    $start = microtime(true);
    password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]);
    $end = microtime(true);
} while (($end - $start) < $timeTarget);

echo "Appropriate Cost Found: " . $cost;
?>

The above example will output something similar to:

Appropriate Cost Found: 10

Example #4 password_hash() example using Argon2i

<?php
echo 'Argon2i hash: ' . password_hash('rasmuslerdorf', PASSWORD_ARGON2I);
?>

The above example will output something similar to:

Argon2i hash:
$argon2i$v=19$m=1024,t=2,p=2$YzJBSzV4TUhkMzc3d3laeg$zqU/1IN0/AogfP4cmSJI1vc
8lpXRW9/S0sYY2i2jHT0