BcryptPasswordHash implements PasswordHashInterface

This class implements the 'bcrypt' flavour of the php password api.

Hashes are identified by the prefix '$2y$'.

To work around the limitations of bcrypt (accepts not more than 72 chars and truncates on NUL bytes), the plain password is pre-hashed before the actual password-hash is generated/verified.

Tags
see
PASSWORD_BCRYPT

in https://secure.php.net/manual/en/password.constants.php

Table of Contents

Interfaces

PasswordHashInterface
Interface with public methods needed to be implemented in a salting hashing class.

Constants

PREFIX  = '$2y$'
Prefix for the password hash

Properties

$options  : array<string|int, mixed>
Set default PHP cost: Default is 10 with PHP <8.4, 12 since PHP 8.4. At the time of this writing, this leads to 150-200ms computing time on a casual I7 CPU.

Methods

__construct()  : mixed
Constructor sets options if given
checkPassword()  : bool
Checks if a given plaintext password is correct by comparing it with a given salted hashed password.
getHashedPassword()  : string|null
Method creates a hash for a given plaintext password
isAvailable()  : bool
bcrypt is always available in PHP core hash functions.
isHashUpdateNeeded()  : bool
Checks whether a user's hashed password needs to be replaced with a new hash.
isValidSaltedPW()  : bool
Determines if a given string is a valid salted hashed password.
isValidBcryptCost()  : bool
processPlainPassword()  : string
The plain password is processed through sha384 and then base64 encoded. This will produce a 64 characters input to use with password_* functions, which has some advantages: 1. It is close to the (bcrypt-) maximum of 72 character keyspace 2. base64 will never produce NUL bytes (bcrypt truncates on NUL bytes) 3. sha384 is resistant to length extension attacks

Constants

PREFIX

Prefix for the password hash

protected mixed PREFIX = '$2y$'

Properties

$options

Set default PHP cost: Default is 10 with PHP <8.4, 12 since PHP 8.4. At the time of this writing, this leads to 150-200ms computing time on a casual I7 CPU.

protected array<string|int, mixed> $options = ['cost' => 12]

Methods

__construct()

Constructor sets options if given

public __construct([array<string|int, mixed> $options = [] ]) : mixed
Parameters
$options : array<string|int, mixed> = []

checkPassword()

Checks if a given plaintext password is correct by comparing it with a given salted hashed password.

public checkPassword(string $plainPW, string $saltedHashPW) : bool
Parameters
$plainPW : string

plain text password to compare with salted hash

$saltedHashPW : string

Salted hash to compare plain-text password with

Return values
bool

TRUE, if plaintext password is correct, otherwise FALSE

getHashedPassword()

Method creates a hash for a given plaintext password

public getHashedPassword(string $password) : string|null
Parameters
$password : string

Plaintext password to create a hash from

Return values
string|null

Hashed password or null on empty password

isAvailable()

bcrypt is always available in PHP core hash functions.

public isAvailable() : bool
Return values
bool

Method available

isHashUpdateNeeded()

Checks whether a user's hashed password needs to be replaced with a new hash.

public isHashUpdateNeeded(string $passString) : bool
Parameters
$passString : string

Salted hash to check if it needs an update

Return values
bool

TRUE if salted hash needs an update, otherwise FALSE

isValidSaltedPW()

Determines if a given string is a valid salted hashed password.

public isValidSaltedPW(string $saltedPW) : bool
Parameters
$saltedPW : string

String to check

Return values
bool

TRUE if it's valid salted hashed password, otherwise FALSE

processPlainPassword()

The plain password is processed through sha384 and then base64 encoded. This will produce a 64 characters input to use with password_* functions, which has some advantages: 1. It is close to the (bcrypt-) maximum of 72 character keyspace 2. base64 will never produce NUL bytes (bcrypt truncates on NUL bytes) 3. sha384 is resistant to length extension attacks

protected processPlainPassword(string $password) : string
Parameters
$password : string
Return values
string

        
On this page

Search results