Pbkdf2PasswordHash implements PasswordHashInterface
Class that implements PBKDF2 salted hashing based on PHP's hash_pbkdf2() function.
Table of Contents
Interfaces
- PasswordHashInterface
- Interface with public methods needed to be implemented in a salting hashing class.
Constants
- PREFIX = '$pbkdf2-sha256$'
- Prefix for the password hash.
Properties
- $options : array<string|int, mixed>
Methods
- __construct() : mixed
- Constructor sets options if given
- checkPassword() : bool
- Method checks if a given plaintext password is correct by comparing it with a given salted hashed password.
- getHashedPassword() : string|null
- Method creates a salted hash for a given plaintext password
- isAvailable() : bool
- Returns whether all prerequisites for the hashing methods are matched
- isHashUpdateNeeded() : bool
- Checks whether a user's hashed password needs to be replaced with a new hash.
- isValidSaltedPW() : bool
- Method determines if a given string is a valid salted hashed password.
- base64Decode() : string
- Adapted version of base64_encoding for compatibility with python passlib. The output of this function is is identical to base64_encode, except that it uses . instead of +, and omits trailing padding = and whitespace.
- base64Encode() : string
- Adapted version of base64_encoding for compatibility with python passlib. The output of this function is is identical to base64_encode, except that it uses . instead of +, and omits trailing padding = and whitespace.
- getGeneratedSalt() : string
- Generates a random base 64-encoded salt prefixed and suffixed with settings for the hash.
- getHashedPasswordInternal() : string|null
- Method creates a salted hash for a given plaintext password
- getIterationCount() : int|null
- Parses the log2 iteration count from a stored hash or setting string.
- getItoa64() : string
- Returns a string for mapping an int to the corresponding base 64 character.
- getLengthBase64FromBytes() : int
- Method determines required length of base64 characters for a given length of a byte string.
- getStoredSalt() : string
- Parses the salt out of a salt string including settings. If the salt does not include settings it is returned unmodified.
- isValidSalt() : bool
- Method determines if a given string is a valid salt.
Constants
PREFIX
Prefix for the password hash.
protected
mixed
PREFIX
= '$pbkdf2-sha256$'
Properties
$options
protected
array<string|int, mixed>
$options
= ['hash_count' => 25000]
The default log2 number of iterations for password stretching.
Methods
__construct()
Constructor sets options if given
public
__construct([array<string|int, mixed> $options = [] ]) : mixed
Parameters
- $options : array<string|int, mixed> = []
checkPassword()
Method checks if a given plaintext password is correct by comparing it with a given salted hashed password.
public
checkPassword(string $plainPW, string $saltedHashPW) : bool
Parameters
- $plainPW : string
-
plain-text password to compare with salted hash
- $saltedHashPW : string
-
salted hash to compare plain-text password with
Return values
bool —TRUE, if plain-text password matches the salted hash, otherwise FALSE
getHashedPassword()
Method creates a salted hash for a given plaintext password
public
getHashedPassword(string $password) : string|null
Parameters
- $password : string
-
plaintext password to create a salted hash from
Return values
string|null —Salted hashed password
isAvailable()
Returns whether all prerequisites for the hashing methods are matched
public
isAvailable() : bool
Return values
bool —Method available
isHashUpdateNeeded()
Checks whether a user's hashed password needs to be replaced with a new hash.
public
isHashUpdateNeeded(string $saltedPW) : bool
This is typically called during the login process when the plain text password is available. A new hash is needed when the desired iteration count has changed through a change in the variable $this->options['hashCount'].
Parameters
- $saltedPW : string
-
Salted hash to check if it needs an update
Return values
bool —TRUE if salted hash needs an update, otherwise FALSE
isValidSaltedPW()
Method determines if a given string is a valid salted hashed password.
public
isValidSaltedPW(string $saltedPW) : bool
Parameters
- $saltedPW : string
-
String to check
Return values
bool —TRUE if it's valid salted hashed password, otherwise FALSE
base64Decode()
Adapted version of base64_encoding for compatibility with python passlib. The output of this function is is identical to base64_encode, except that it uses . instead of +, and omits trailing padding = and whitespace.
protected
base64Decode(string $value) : string
Parameters
- $value : string
Return values
stringbase64Encode()
Adapted version of base64_encoding for compatibility with python passlib. The output of this function is is identical to base64_encode, except that it uses . instead of +, and omits trailing padding = and whitespace.
protected
base64Encode(string $input, int $count) : string
Parameters
- $input : string
-
The string containing bytes to encode.
- $count : int
-
The number of characters (bytes) to encode.
Return values
string —Encoded string
getGeneratedSalt()
Generates a random base 64-encoded salt prefixed and suffixed with settings for the hash.
protected
getGeneratedSalt() : string
Proper use of salts may defeat a number of attacks, including:
- The ability to try candidate passwords against multiple hashes at once.
- The ability to use pre-hashed lists of candidate passwords.
- The ability to determine whether two users have the same (or different) password without actually having to guess one of the passwords.
Return values
string —A character string containing settings and a random salt
getHashedPasswordInternal()
Method creates a salted hash for a given plaintext password
protected
getHashedPasswordInternal(string $password[, string|null $salt = null ]) : string|null
Parameters
- $password : string
-
plaintext password to create a salted hash from
- $salt : string|null = null
-
Optional custom salt with setting to use
Return values
string|null —Salted hashed password
getIterationCount()
Parses the log2 iteration count from a stored hash or setting string.
protected
getIterationCount(string $setting) : int|null
Parameters
- $setting : string
-
Complete hash or a hash's setting string or to get log2 iteration count from
Return values
int|null —Used hashcount for given hash string
getItoa64()
Returns a string for mapping an int to the corresponding base 64 character.
protected
getItoa64() : string
Return values
string —String for mapping an int to the corresponding base 64 character
getLengthBase64FromBytes()
Method determines required length of base64 characters for a given length of a byte string.
protected
getLengthBase64FromBytes(int $byteLength) : int
Parameters
- $byteLength : int
-
Length of bytes to calculate in base64 chars
Return values
int —Required length of base64 characters
getStoredSalt()
Parses the salt out of a salt string including settings. If the salt does not include settings it is returned unmodified.
protected
getStoredSalt(string $salt) : string
Parameters
- $salt : string
Return values
stringisValidSalt()
Method determines if a given string is a valid salt.
protected
isValidSalt(string $salt) : bool
Parameters
- $salt : string
-
String to check
Return values
bool —TRUE if it's valid salt, otherwise FALSE