BcryptPasswordHash implements PasswordHashInterface

This class implements the 'bcrypt' flavour of the php password api.

Hashes are identified by the prefix '$2y$'.

To workaround the limitations of bcrypt (accepts not more than 72 chars and truncates on NUL bytes), the plain password is pre-hashed before the actual password-hash is generated/verified.

Tags
see
PASSWORD_BCRYPT

in https://secure.php.net/manual/en/password.constants.php

Table of Contents

Interfaces

PasswordHashInterface
Interface with public methods needed to be implemented in a salting hashing class.

Constants

PREFIX  = '$2y$'
Prefix for the password hash

Properties

$options  : array<string|int, mixed>
Set default PHP cost: Default is 10 with PHP <8.4, 12 since PHP 8.4. At the time of this writing, this leads to 150-200ms computing time on a casual I7 CPU.

Methods

__construct()  : mixed
Constructor sets options if given
checkPassword()  : bool
Checks if a given plaintext password is correct by comparing it with a given salted hashed password.
getHashedPassword()  : string
Extend parent method to workaround bcrypt limitations.
isAvailable()  : bool
Returns true if sha384 for pre-hashing and bcrypt itself is available.
isHashUpdateNeeded()  : bool
Checks whether a user's hashed password needs to be replaced with a new hash.
isValidSaltedPW()  : bool
Determines if a given string is a valid salted hashed password.
isValidBcryptCost()  : bool
processPlainPassword()  : string
The plain password is processed through sha384 and then base64 encoded. This will produce a 64 characters input to use with password_* functions, which has some advantages: 1. It is close to the (bcrypt-) maximum of 72 character keyspace 2. base64 will never produce NUL bytes (bcrypt truncates on NUL bytes) 3. sha384 is resistant to length extension attacks

Constants

PREFIX

Prefix for the password hash

protected mixed PREFIX = '$2y$'

Properties

$options

Set default PHP cost: Default is 10 with PHP <8.4, 12 since PHP 8.4. At the time of this writing, this leads to 150-200ms computing time on a casual I7 CPU.

protected array<string|int, mixed> $options = ['cost' => 12]

Methods

__construct()

Constructor sets options if given

public __construct([array<string|int, mixed> $options = [] ]) : mixed
Parameters
$options : array<string|int, mixed> = []
Tags
throws
InvalidArgumentException

checkPassword()

Checks if a given plaintext password is correct by comparing it with a given salted hashed password.

public checkPassword(string $plainPW, string $saltedHashPW) : bool
Parameters
$plainPW : string

plain text password to compare with salted hash

$saltedHashPW : string

Salted hash to compare plain-text password with

Return values
bool

getHashedPassword()

Extend parent method to workaround bcrypt limitations.

public getHashedPassword(string $password) : string
Parameters
$password : string

Plaintext password to create a salted hash from

Return values
string

Salted hashed password

isAvailable()

Returns true if sha384 for pre-hashing and bcrypt itself is available.

public isAvailable() : bool
Return values
bool

isHashUpdateNeeded()

Checks whether a user's hashed password needs to be replaced with a new hash.

public isHashUpdateNeeded(string $passString) : bool
Parameters
$passString : string

Salted hash to check if it needs an update

Return values
bool

TRUE if salted hash needs an update, otherwise FALSE

isValidSaltedPW()

Determines if a given string is a valid salted hashed password.

public isValidSaltedPW(string $saltedPW) : bool
Parameters
$saltedPW : string

String to check

Return values
bool

TRUE if it's valid salted hashed password, otherwise FALSE

processPlainPassword()

The plain password is processed through sha384 and then base64 encoded. This will produce a 64 characters input to use with password_* functions, which has some advantages: 1. It is close to the (bcrypt-) maximum of 72 character keyspace 2. base64 will never produce NUL bytes (bcrypt truncates on NUL bytes) 3. sha384 is resistant to length extension attacks

protected processPlainPassword(string $password) : string
Parameters
$password : string
Return values
string

        
On this page

Search results