Extras

Specifying Password Hashing Algorithms

Chapter 10 shows how PHP's password_hash() function creates a hash from a password (which should be stored in the database instead of the password that the user supplied).

As described on PHP.net, the second parameter of this function allows you to specify the hashing algorithm that should be used.

The possible values you can use for the hashing algorithm as shown in the table below:

PASSWORD_DEFAULT

Currently, this uses the BCRYPT algorithm (see the entry below), but this value is designed so that it can change to a newer, and stronger, algorithm if one is added to PHP in the future.

PASSWORD_BCRYPT

The BCRYPT algorithm implements another algorithm (or cipher) known as Blowfish. It creates a hash that is always 60 characters long.

PASSWORD_ARGON2I

This uses an algorithm called Agon2i. It is only available if PHP has been compiled with Argon2 support.

PASSWORD_ARGON2ID

This uses an algorithm called Argon2id. The algorithm is only available if PHP has been compiled with Argon2 support.

NOTE: If you come across the MD5, SHA1 and SHA256 hashing algorithms, they were designed to be fast and efficient, but they are no longer considered strong enough to handle passwords because it is relatively easy to get passwords from the hash.

When a hash is created it stores all of the data required to check that, when the user re-enters their password, it creates the same value:

  • The name of the algorithm used to create the hash.
  • Options for that algorithm. A common option is cost, which controls the amount of resource the server can use to create the hash.
  • A salt, which is a random set of characters that are added to the password before it is hashed.
  • The hashed password.
parts of a hash

To future proof the database, the column that stores passwords should be able to store more characters than are used by the current BCRYPT algorithm (255 characters is the current suggested limit).