Tuesday, 15 January 2013

php - What is the default algorithm in password_hash -


Reading the documentation about a new function for PHP 5.5, I am thinking, what is the default algorithm:

password_hash ("rasmuslerdorf", PASSWORD_DEFAULT);

The document does not specify this about:

This is updated in the document and it will soon be updated to the Constants page (I have made changes to the document one hour or earlier).

This will be live today

from the updated constant page (which does not yet run, but will still be there later):

Available algorithms:

  • PASSWORD_BCRYPT (integer)

    PASSWORD_BCRYPT to CRYPT_BLOWFISH algorithm Used to create a new password hash.

    This will always give the result of a hash using the "$ 2y $" crypt format, which is always 60 characters.

    Supported options:

    • Salt - Provide salt to use when using a password manually. Note that this will automatically override and prevent salt from being generated.

      If omitted, a random salt will be generated for the password - this is the purpose mode of operation.

    • Cost - The meaning of the cost of the algorithm which should be used. Examples of these values ​​can be found on the crypt () page.

      If rejected, then the default value of 10 will be used. This is a good basic cost, but you may want to consider increasing it on the basis of your hardware.

    • PASSWORD_DEFAULT (integer)

      If no algorithms have been provided, then use the default algorithm for hashing. This new PHP release can change when new, strong hashing algorithms are supported.

      It is worth noting that over time it can be continuous (and possibly) change, so you should know that the length of the resultant hash can change. Therefore, if you use PASSWORD_DEFAULT, you should store the resultant hash in a manner that can store more than 60 characters (255 is the rescheduled width).

      Value of this constant:

      • PHP 5.5.0 - PASSWORD_BCRYPT

        Where and how PASSWORD_DEFAULT will be updated, Note: Updates the algorithm supported by this function (or the change to the default one) The rules must be followed:

        • Before the default, a new algorithm must be in the core for at least 1 full release of PHP. Therefore, for example, a new algorithm has been added to 5.5.5, it will not be eligible for the default by 5.7 (5.6 will be fully full release). But if a different algorithm is added to 5.6.0, then it will also be eligible for default at 5.7.0.

        • The default is not only on full release (5.6.0, 6.0.0, etc) and an amendment amendment. The only exception for this is in an emergency when there is an important security flaw in the current security.

No comments:

Post a Comment