PHP - Password Hashing
The password hashing API provides an easy to use wrapper around crypt() and some other password hashing algorithms, to make it easy to create and manage passwords in a secure manner.
Installation
There is no installation needed to use these functions. These functions are part of the PHP core.
To enable Argon2 password hashing, however, PHP must be build with libargon2 support using the --with-password-argon2[=DIR] configure option.
Runtime Configuration
This extension has no configuration directives defined in php.ini.
PHP Password Hashing Functions
Functions | Description |
---|---|
password_algos() | Get available password hashing algorithm IDs. |
password_get_info() | Returns information about the given hash. |
password_hash() | Creates a password hash. |
password_needs_rehash() | Checks if the given hash matches the given options. |
password_verify() | Verifies that a password matches a hash. |
PHP Password Hashing Predefined Constants
The constants below are always available as part of the PHP core.
PASSWORD_BCRYPT (string)
PASSWORD_BCRYPT is used to create new password hashes using the CRYPT_BLOWFISH algorithm.
This will always result in a hash using the "$2y$" crypt format, which is always 60 characters wide.
Supported Options:
salt (string) - to manually provide a salt to use when hashing the password. This will override and prevent a salt from being automatically generated.
If omitted, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation and as of PHP 7.0.0 the salt option has been deprecated.
cost (int) - which denotes the algorithmic cost that should be used.
If omitted, a default value of 10 will be used. This is a good baseline cost, but you may want to consider increasing it depending on your hardware.
PASSWORD_ARGON2I (string)
PASSWORD_ARGON2I is used to create new password hashes using the Argon2i algorithm.
Supported Options:
- memory_cost (int) - Maximum memory (in bytes) that may be used to compute the Argon2 hash. Default is PASSWORD_ARGON2_DEFAULT_MEMORY_COST.
- time_cost (int) - Maximum amount of time it may take to compute the Argon2 hash. Default is PASSWORD_ARGON2_DEFAULT_TIME_COST.
- threads (int) - Number of threads to use for computing the Argon2 hash. Default is PASSWORD_ARGON2_DEFAULT_THREADS. Only available with libargon2, not with libsodium implementation.
Available as of PHP 7.2.0.
PASSWORD_ARGON2ID (string)
PASSWORD_ARGON2ID is used to create new password hashes using the Argon2id algorithm. It supports the same options as PASSWORD_ARGON2I.
Available as of PHP 7.3.0.
PASSWORD_ARGON2_DEFAULT_MEMORY_COST (int)
Default amount of memory in bytes that will be used while trying to compute a hash.
Available as of PHP 7.2.0.
PASSWORD_ARGON2_DEFAULT_TIME_COST (int)
Default amount of time that will be spent trying to compute a hash.
Available as of PHP 7.2.0.
PASSWORD_ARGON2_DEFAULT_THREADS (int)
Default number of threads that Argon2lib will use. It is not available with libsodium implementation.
Available as of PHP 7.2.0.
PASSWORD_DEFAULT (mixed)
The default algorithm to use for hashing if no algorithm is provided.
Note that over the time this constant can change. Therefore, the length of the resulting hash can change. Therefore, PASSWORD_DEFAULT is used, then the resulting hash should be stored in a way that can store more than 60 characters (255 is the recommended width).
Values for this constant:
- PHP 5.5.0 - PASSWORD_BCRYPT