PHP password_hash() function

Author：Eve Cole Update Time：2024-12-28 11:12:01

The password_hash() function is used to create a hash of the password.

PHP version requirements: PHP 5 >= 5.5.0, PHP 7

grammar

 string password_hash ( string $password , int $algo [, array $options ] )

password_hash() creates a hash of the password using a sufficiently strong one-way hashing algorithm. password_hash() is compatible with crypt(). So, password hashes created by crypt() can also be used with password_hash().

Currently supported algorithms:

PASSWORD_DEFAULT - Use bcrypt algorithm (default in PHP 5.5.0). Note that this constant will change as PHP adds newer, more powerful algorithms. Therefore, the length of results generated using this constant will change in the future. Therefore, the column in the database where the results are stored can exceed 60 characters (preferably 255 characters).

PASSWORD_BCRYPT - Creates a hash using the CRYPT_BLOWFISH algorithm. This results in a crypt() compatible with "$2y$". The result will be a 60-character string, or FALSE on failure.

PASSWORD_ARGON2I - Creates a hash using the Argon2 hashing algorithm.

Options supported by PASSWORD_BCRYPT:

salt(string) - Manually provide a salt value for hashing the password. This will avoid automatic salt generation.

When this value is omitted, password_hash() automatically generates a random salt value for each password hash. This mode of operation is intentional.

Note: The salt option is deprecated starting with PHP 7.0.0. For now it's better to simply use the default generated salt.

cost (integer) - Represents the cost used by the algorithm. There are examples of cost values on the crypt() page.

When omitted, the default value is 10. This cost is a good bottom line, but you may be able to increase this value based on your own hardware.

PASSWORD_ARGON2I supported options:

memory_cost ( integer ) - Maximum memory (unit: byte) when calculating Argon2 hash. Default value: PASSWORD_ARGON2_DEFAULT_MEMORY_COST .

time_cost ( integer ) – Maximum time spent computing the Argon2 hash. Default value: PASSWORD_ARGON2_DEFAULT_TIME_COST .

threads ( integer ) – The maximum number of threads to use when computing Argon2 hashes. Default value: PASSWORD_ARGON2_DEFAULT_THREADS .

Parameter description:

password: a hash value created by password_hash().

algo: A cryptographic algorithm constant used to indicate the algorithm used when hashing passwords.

options: an associative array containing options. Currently, two options are supported: salt, the salt (interference string) added when hashing the password, and cost, which is used to specify the number of levels of algorithm recursion. Examples of these two values can be found on the crypt() page.

When omitted, a random salt value and default cost will be used.

return value

Returns the hashed password, or FALSE on failure.

Example

Example 1

<?php /* * * We want to hash the password using the default algorithm * currently BCRYPT and will produce a 60 character result. * * Please note that the default algorithm may change over time, * so the storage space required can exceed 60 words (255 words is good) */ echo password_hash ( " rasmuslerdorf " , PASSWORD_DEFAULT ) ; ?>

The output is:

 $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a

Example 2

<?php /* * * In this case, we increase the cost of BCRYPT to 12. * Note that we have switched to one that will always produce 60 characters. */ $options = [ ' cost ' => 12 , ] ; echo password_hash ( " rasmuslerdorf " , PASSWORD_BCRYPT , $options ) ; ?>

The output is:

 $2y$12$QjSH496pcT5CEbzjD/vtVeH03tfHKFy36d4J0Ltp3lRtee9HDxY3K

Example 3

Example of setting salt value manually

<?php /* * * Note that the salt value here is randomly generated. * Never use a fixed salt value, or a salt value that is not randomly generated. * * In most cases, you can let password_hash generate automatically generate a random salt value for you */ $options = [ ' cost ' => 11 , ' salt ' => mcrypt_create_iv ( 22 , MCRYPT_DEV_URANDOM ) , ] ; echo password_hash ( " rasmuslerdorf " , PASSWORD_BCRYPT , $options ) ; ?>

The output is:

 $2y$11$q5MkhSBtlsJcNEVsYh64a.aCluzHnGog7TQAKVmQwO9C8xb.t89F.

Example 4

Password_hash() example to find the best cost

<?php /* * * This example performs a benchmark test on the server to test how high the cost the server can withstand * The highest value can be set without significantly slowing down the server * 8-10 is a good bottom line, in the server If it's fast enough, the higher the better. * The following code target is ≤ 50 milliseconds (milliseconds), * suitable for the system to handle interactive login. */ $timeTarget = 0.05 ; // 50 milliseconds (milliseconds) $cost = 8 ; do { $cost ++; $start = microtime ( true ) ; password_hash ( " test " , PASSWORD_BCRYPT , [ " cost " => $cost ] ) ; $end = microtime ( true ) ; } while ( ( $end - $start ) < $timeTarget ) ; echo " Appropriate Cost Found: " . $cost ; ?>

The output is:

 Appropriate Cost Found: 10

Example 5

Example using Argon2:

<?php echo ' Argon2 hash: ' . password_hash ( ' rasmuslerdorf ' , PASSWORD_ARGON2I ) ; ?>

The output is:

 Argon2 hash: $argon2i$v=19$m=1024,t=2,p=2$YzJBSzV4TUhkMzc3d3laeg$zqU/1IN0/AogfP4cmSJI1vc8lpXRW9/S0sYY2i2jHT0