MENU
Password Hashing
Storing passwords as hashes adds an additional level of security to your system.password_hash($s, $i [,$arr]) creates a one-way, password hash for the password $s. Password hashes created with crypt() can be used with password_hash(). $i denotes the algorithm, and can be PASSWORD_DEFAULT or PASSWORD_BCRYPT. The latter causes password $s to be truncated to 72 characters, and results in a hash that is always 60 characters. For PASSWORD_BCRYPT, you may specify $arr, an array containing the keys ‘salt’ and ‘cost’. ‘cost’ denotes the algorithmic cost, and is 10 by default. password_verify($s1, $s2) returns true
if the password $s1 matches the hash $s2. Note that password_hash() returns the algorithm, cost and salt as part of the returned hash.
password_needs_rehash($s, $i [,$arr]) returns true if the supplied hash $s does not implement the algorithm $i and $options $arr.
password_get_info($s) returns an array containing information about the hash.
<?php
$P = 'myPassword';
$O = [
'cost' => 11,
'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM)];
$H = password_hash($P,PASSWORD_BCRYPT,$O);
echo $H;
var_dump(password_verify($P,$H));
var_dump(password_needs_rehash( $H,PASSWORD_BCRYPT,$O));
print_r(password_get_info($H));
?>$2y$11$i9NVGbfeHnhlosoJr74r8.HtRLqlpcPzT5QBL0uWcuHDHFzq6JxnO bool(true) bool(false) Array ( [algo] => 1 [algoName] => bcrypt [options] => Array ( [cost] => 11 ) )
This determines for BCRYPT the maximum algorithmic cost given a time limit.
<?php
$timeTarget = 1.0;
$cost = 9;
do {
$cost++;
$start = microtime(true);
password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]);
$end = microtime(true);
} while (($end - $start) < $timeTarget);
echo "Appropriate Cost Found: " . $cost . "\n";
?>Appropriate Cost Found: 14