PHP | crypt(), password_hash() Functions

In the previous article on md5(), sha1(), and hash() Functions we saw that one of the major drawbacks of the method was that these algorithms were very fast due to less complexity and thus more vulnerable to attacks, they are even suggested not to use in a full-fledged project of greater importance. Thus, PHP now provides with a couple new methods to hash user passwords in a much more optimized and secure way. The methods are discussed as follows:

crypt() Function

Syntax:

string crypt ($string, $salt)

Parameters: The function an take up to a maximum of two parameters as follows:

  • $string: This parameter expects the string to be hashed.
  • $salt: This is an optional parameter by definition but it is almost never expected to leave the salt field undefined. The salt parameter expects a random string to be used as the base of the hashing. Many developers tend to use the combination of some specific fields and random characters appended together.

Return Type: This function returns the hashed string.

As crypt() was better than its predecessors it was widely used, but the reliability of the function was questionable, hence PHP now provides a built-in function to serve the purpose of Password Hashing and is recommended for use.

password_hash() Function

Syntax:

string password_hash($string, $algo, $options)

Parameters: The function an take up to a maximum of three parameters as follows:

  • $string: This parameter expects the string to be hashed.
  • $algo: This parameter expects an integer value that refers to the algorithm to be used for the purpose. Three algorithms are available as follows:
    • PASSWORD_DEFAULT: This is the recommended algo, as the developer team of PHP are adding new algorithms and updating the following to be the best option.
    • PASSWORD_BCRYPT: This algorithm uses the CRYPT_BLOWFISH algorithm and generates a crypt() equivalent hash.
    • PASSWORD_ARGON2I: Uses the Argon2 Hashing Algorithm.
  • $options: This is an optional parameter that expects an array of advanced options as described. The supported options for each algorithm slightly differs from each other. The supported options are as follows:

    Supported options for PASSWORD_BCRYPT:

    • Cost: Maximum Algorithmic Cost to be applied. Default value is 10. Algorithmic cost directly affects the loading time and depends significally on the hardware running.
    • Salt: Developers can provide manual salts as well, but it is not recommended.

    Supported options for PASSWORD_ARGON2I:

    • Memory cost: Maximum Memory Cost to be applied to generate the hash.
    • Time cost: Maximum Time to be taken to calculate the hash.
    • Threads: Number of threads to be used.

Return Type: This function returns the hashed string on success or FALSE.

Below program illustrates the working of crypt() and password_hash() in PHP:

filter_none

edit
close

play_arrow

link
brightness_4
code

<?php
  
// PHP code to illustrate the working of 
// crypt() and password_hash()
  
$str = 'Password';
$options = [
               'cost' => 10,
               'salt' => '$P27r06o9!nasda57b2M22'
           ];
             
echo sprintf("Result of crypt() on %s is %s\n"
             $str, crypt($str, $options['salt']));
echo sprintf("Result of DEFAULT on %s is %s\n",
      $str, password_hash($str, PASSWORD_DEFAULT));
echo sprintf("Result of BCRYPT on %s is %s\n", $str
    password_hash($str, PASSWORD_BCRYPT, $options));
      
?>

chevron_right


Output:

Result of crypt() on Password is $PFKQN2rkmKu6
Result of DEFAULT on Password is $2y$10$yqFvDGy
v2Tz4d/A/yulbFe5ISH9oR3gvU7GQLMYRKR7XQJnGpQOau
Result of BCRYPT on Password is $2y$10$JFAyN3Iw
Nm85IW5hc2RhNOlEBYnR992.gf.5FqZhHSbln3a4jtQpi

Important points to note:

  • A hashing algorithm should preferably be a one-way route i.e. there should not exist a decrypt method, following this concept, the described functions has no decrypt method.
  • Not having any decrypting method the validation of password would require to crypting every input provided by the user on time of login, thus PHP provides password_verify() Function to validate the same.
  • crypt() and password_hash() are both compatible with each other. We can say that password_hash() method is a much more user friendly wrapper of the crypt() method itself.

Reference:



My Personal Notes arrow_drop_up

FullStack Developer of six websites Verified Freelancer with 19 complete projects and 4.9 rating Modest Lifelong Learner

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.




Article Tags :
Practice Tags :


Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.