BcryptPasswordHash implements PasswordHashInterface
This class implements the 'bcrypt' flavour of the php password api.
Hashes are identified by the prefix '$2y$'.
To work around the limitations of bcrypt (accepts not more than 72 chars and truncates on NUL bytes), the plain password is pre-hashed before the actual password-hash is generated/verified.
Tags
Table of Contents
Interfaces
- PasswordHashInterface
- Interface with public methods needed to be implemented in a salting hashing class.
Constants
- PREFIX = '$2y$'
- Prefix for the password hash
Properties
- $options : array<string|int, mixed>
- Set default PHP cost: Default is 10 with PHP <8.4, 12 since PHP 8.4. At the time of this writing, this leads to 150-200ms computing time on a casual I7 CPU.
Methods
- __construct() : mixed
- Constructor sets options if given
- checkPassword() : bool
- Checks if a given plaintext password is correct by comparing it with a given salted hashed password.
- getHashedPassword() : string|null
- Extend parent method to workaround bcrypt limitations.
- isAvailable() : bool
- bcrypt is always available in PHP core hash functions.
- isHashUpdateNeeded() : bool
- Checks whether a user's hashed password needs to be replaced with a new hash.
- isValidSaltedPW() : bool
- Determines if a given string is a valid salted hashed password.
- isValidBcryptCost() : bool
- processPlainPassword() : string
- The plain password is processed through sha384 and then base64 encoded. This will produce a 64 characters input to use with password_* functions, which has some advantages: 1. It is close to the (bcrypt-) maximum of 72 character keyspace 2. base64 will never produce NUL bytes (bcrypt truncates on NUL bytes) 3. sha384 is resistant to length extension attacks
Constants
PREFIX
Prefix for the password hash
protected
mixed
PREFIX
= '$2y$'
Properties
$options
Set default PHP cost: Default is 10 with PHP <8.4, 12 since PHP 8.4. At the time of this writing, this leads to 150-200ms computing time on a casual I7 CPU.
protected
array<string|int, mixed>
$options
= ['cost' => 12]
Methods
__construct()
Constructor sets options if given
public
__construct([array<string|int, mixed> $options = [] ]) : mixed
Parameters
- $options : array<string|int, mixed> = []
checkPassword()
Checks if a given plaintext password is correct by comparing it with a given salted hashed password.
public
checkPassword(string $plainPW, string $saltedHashPW) : bool
Parameters
- $plainPW : string
-
plain text password to compare with salted hash
- $saltedHashPW : string
-
Salted hash to compare plain-text password with
Return values
bool —TRUE, if plaintext password is correct, otherwise FALSE
getHashedPassword()
Extend parent method to workaround bcrypt limitations.
public
getHashedPassword(string $password) : string|null
Parameters
- $password : string
-
Plaintext password to create a hash from
Return values
string|null —Hashed password or null on empty password
isAvailable()
bcrypt is always available in PHP core hash functions.
public
isAvailable() : bool
Return values
bool —Method available
isHashUpdateNeeded()
Checks whether a user's hashed password needs to be replaced with a new hash.
public
isHashUpdateNeeded(string $passString) : bool
Parameters
- $passString : string
-
Salted hash to check if it needs an update
Return values
bool —TRUE if salted hash needs an update, otherwise FALSE
isValidSaltedPW()
Determines if a given string is a valid salted hashed password.
public
isValidSaltedPW(string $saltedPW) : bool
Parameters
- $saltedPW : string
-
String to check
Return values
bool —TRUE if it's valid salted hashed password, otherwise FALSE
isValidBcryptCost()
protected
isValidBcryptCost(int $cost) : bool
Parameters
- $cost : int
Tags
Return values
boolprocessPlainPassword()
The plain password is processed through sha384 and then base64 encoded. This will produce a 64 characters input to use with password_* functions, which has some advantages: 1. It is close to the (bcrypt-) maximum of 72 character keyspace 2. base64 will never produce NUL bytes (bcrypt truncates on NUL bytes) 3. sha384 is resistant to length extension attacks
protected
processPlainPassword(string $password) : string
Parameters
- $password : string