PHP password_hash() function usage and example

PHP Password Hashing Algorithm

The password_hash() function is used to create a hash (hash) of the password

PHP version requirement: PHP 5 >= 5.5.0, PHP 7

Syntax

string password_hash ( string $password , int $algo [, array $options ] )

password_hash() uses a sufficiently strong one-way hashing algorithm to create a hash (hash) of the password. password_hash() is compatible with crypt(). Therefore, password hashes created by crypt() can also be used with password_hash().

Currently supported algorithms:

• PASSWORD_DEFAULT - Using bcrypt algorithm (PHP 5.5.0 as the default). 　 　 　Note that this constant will change as PHP joins updates with higher strength algorithms. 　 　 　Therefore, using this constant to generate the length of the result will change in the future. 　 　 　Therefore, the column storing the result in the database can be longer than60 characters (it is better to255characters).

• PASSWORD_BCRYPT - Using CRYPT_BLOWFISH algorithm creates a hash. 　 　 　This will produce compatibility with using "2y$" of crypt(). 　 　 　The result will be 6A string of 0 characters, or returned in case of failure FALSE.

• PASSWORD_ARGON2I - Using Argon2 Hash algorithm creates a hash.

Options supported by PASSWORD_BCRYPT:

• salt(string) - Manually provide the salt for the hashed password. This will avoid automatically generating the salt.

  After omitting this value, password_hash() will automatically generate a random salt for each password hash. This operation is an intentional pattern.

  Note: The salt (salt) option from PHP is supported. 7.0.0 has been deprecated. Now it is best to simply use the default generated salt value.

• cost (integer) - representing the cost used by the algorithm. Examples of cost values can be found on the crypt() page.

  Omitted, the default value is 10. This cost is a good baseline, but it may be increased according to the hardware conditions.

PASSWORD_ARGON2I Supported options:

• memory_cost (integer) - Calculate Argon2 The maximum memory allowed during hashing (in bytes). Default value: PASSWORD_ARGON2_DEFAULT_MEMORY_COST.

• time_cost (integer) - Calculate Argon2 The maximum time allowed during hashing. Default value: PASSWORD_ARGON2_DEFAULT_TIME_COST.

• threads (integer) - Calculate Argon2 The maximum number of threads allowed during hashing. Default value: PASSWORD_ARGON2_DEFAULT_THREADS.

Parameter description:

• password: A hashed value created by password_hash().

• algo: A constant used to indicate the password hashing algorithm when hashing passwords.

• options: An associative array containing options. Currently supports two options: salt, the salt (disruption string) added when hashing passwords, and cost, indicating the number of levels of recursion of the algorithm. Examples of these values can be found on the crypt() page.

  Omitted, it will use a random salt value and default cost.

Return value

Returns the hashed password or FALSE on failure.

Online examples

<?php
/**
　*　We want to use the default algorithm to hash passwords
　*　Currently it is BCrypt and will produce　60 character result.
　*
　*　Please note that the default algorithm may change over time,
　*　Therefore, the storage space needed should be more than　60 words(255word is not wrong)
　*/
echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT);
?>

The output is:

$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a

<?php
/**
　*　In this case, we have added cost to BCrypt of　12.
　*　Note that we have switched to, which will always generate　60 characters.
　*/
$options　=　[
　　　　'cost'　=>　12,

echo　password_hash("rasmuslerdorf",　PASSWORD_BCRYPT,　$options);
?>

The output is:

$2y$12$QjSH496pcT5CEbzjD/vtVeH03tfHKFy36d4J0Ltp3lRtee9HDxY3K

<?php
/**
　*　Note that the salt value here is randomly generated.
　*　Never use a fixed salt value or a salt value that is not randomly generated.
　*
　*　绝大多数情况下，可以让　password_hash　generate　为你自动产生随机盐值
　*/
$options　=　[
　　　　'cost'　=>　11,
　　　　'salt'　=>　mcrypt_create_iv(22,　MCRYPT_DEV_URANDOM),

echo　password_hash("rasmuslerdorf",　PASSWORD_BCRYPT,　$options);
?>

The output is:

$2y$11$q5MkhSBtlsJcNEVsYh64a.aCluzHnGog7TQAKVmQwO9C8xb.t89F.

<?php
/**
　*　This example performs a benchmark on the server to check how high a cost the server can bear
　*　You can set the highest value without slowing down the server too much.
　*　8-10　It is a good baseline, and it is better to be higher when the server is fast enough.
　*　The following code aims for　≤　50 milliseconds,
　*　Suitable for system handling interactive login.
　*/
$timeTarget　=　0.05;　//　50 milliseconds　
　
$cost　=　8;
do　{
　　　　$cost++;
　　　　$start　=　microtime(true);
　　　　password_hash("test",　PASSWORD_BCRYPT,　["cost"　=>　$cost]);
　　　　$end　=　microtime(true);
}　while　(($end　-　$start)　<　$timeTarget);
　
echo　"Appropriate Cost Found:　"　.　$cost;
?>

The output is:

Appropriate Cost Found:　10

<?php
echo　'Argon2　hash:　'　.　password_hash('rasmuslerdorf',　PASSWORD_ARGON2I);
?>

The output is:

Argon2　hash:　$argon2i$v=19$m=1024,t=2,p=2$YzJBSzV4TUhkMzc3d3laeg$zqU/1IN0/AogfP4cmSJI1vc8lpXRW9/S0sYY2i2jHT0

PHP Password Hashing Algorithm