‪TYPO3CMS  ‪main
TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash Class Reference
Inheritance diagram for TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash:

Public Member Functions

 __construct (array $options=[])
 isAvailable ()
 checkPassword (string $plainPW, string $saltedHashPW)
 getHashedPassword (string $password)
bool isValidSaltedPW (string $saltedPW)
bool isHashUpdateNeeded (string $passString)

Protected Member Functions

 processPlainPassword (string $password)
 isValidBcryptCost (int $cost)

Protected Attributes

const PREFIX = '$2y$'
array $options

Detailed Description

This class implements the 'bcrypt' flavour of the php password api.

Hashes are identified by the prefix '$2y$'.

To work around the limitations of bcrypt (accepts not more than 72 chars and truncates on NUL bytes), the plain password is pre-hashed before the actual password-hash is generated/verified.

See also
‪PASSWORD_BCRYPT in https://secure.php.net/manual/en/password.constants.php

Definition at line 31 of file BcryptPasswordHash.php.

Constructor & Destructor Documentation

◆ __construct()

TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::__construct ( array  $options = [])

Member Function Documentation

◆ checkPassword()

TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::checkPassword ( string  $plainPW,
string  $saltedHashPW 

Checks if a given plaintext password is correct by comparing it with a given salted hashed password.

string$plainPW‪plain text password to compare with salted hash
string$saltedHashPW‪Salted hash to compare plain-text password with

Implements TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashInterface.

Definition at line 83 of file BcryptPasswordHash.php.

References TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash\processPlainPassword().

◆ getHashedPassword()

TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::getHashedPassword ( string  $password)

◆ isAvailable()

TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::isAvailable ( )

bcrypt is always available in PHP core hash functions.

Implements TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashInterface.

Definition at line 71 of file BcryptPasswordHash.php.

◆ isHashUpdateNeeded()

bool TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::isHashUpdateNeeded ( string  $passString)

Checks whether a user's hashed password needs to be replaced with a new hash.

string$passString‪Salted hash to check if it needs an update
‪bool TRUE if salted hash needs an update, otherwise FALSE

Implements TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashInterface.

Definition at line 131 of file BcryptPasswordHash.php.

Referenced by TYPO3\CMS\Core\Tests\Unit\Crypto\PasswordHashing\BcryptPasswordHashTest\isHashUpdateNeededReturnsTrueForHashGeneratedWithOldOptions().

◆ isValidBcryptCost()

TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::isValidBcryptCost ( int  $cost)

◆ isValidSaltedPW()

bool TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::isValidSaltedPW ( string  $saltedPW)

Determines if a given string is a valid salted hashed password.

string$saltedPW‪String to check
‪bool TRUE if it's valid salted hashed password, otherwise FALSE

Implements TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashInterface.

Definition at line 110 of file BcryptPasswordHash.php.

References TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash\isValidBcryptCost().

◆ processPlainPassword()

TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::processPlainPassword ( string  $password)

The plain password is processed through sha384 and then base64 encoded. This will produce a 64 characters input to use with password_* functions, which has some advantages:

  1. ‪It is close to the (bcrypt-) maximum of 72 character keyspace
  2. ‪base64 will never produce NUL bytes (bcrypt truncates on NUL bytes)
  3. ‪sha384 is resistant to length extension attacks

Definition at line 144 of file BcryptPasswordHash.php.

Referenced by TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash\checkPassword(), and TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash\getHashedPassword().

Member Data Documentation

◆ $options

array TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::$options
Initial value:
= array(
'cost' => 12,

Raise default PHP cost (10). At the time of this writing, this leads to 150-200ms computing time on a casual I7 CPU.

Definition at line 43 of file BcryptPasswordHash.php.

Referenced by TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash\__construct().


const TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::PREFIX = '$2y$'

Prefix for the password hash

Definition at line 36 of file BcryptPasswordHash.php.