O
O
Optimus2018-02-14 12:01:27
PHP
Optimus, 2018-02-14 12:01:27

Question about the password hashing function?

In the manual php.net/manual/ru/function.password-hash.php example:
password_hash("rasmuslerdorf", PASSWORD_DEFAULT);
And note:
PASSWORD_DEFAULT - the bcrypt algorithm is used (default since PHP 5.5.0). Note that the algorithm used may change over time to a stronger one when one is added to PHP. Accordingly, the length of the result may change over time. Because of this, it is recommended to choose a field length greater than 60 characters to store in the database (255 characters could be a good option).
Does this mean that one day, when moving to a newer version of PHP, old users will not be able to get into the database without recreating the password, because the algorithm has changed. Will he hash the password with the new method, but compare it with the hash in the database obtained by the old method?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
B
BoShurik, 2018-02-14
@BoShurik

No
php.net/manual/en/function.password-hash.php

The algorithm used, cost and salt will be returned as part of the hash. Thus, the information needed to verify the hash will be included in it. This will allow the password_verify() function to verify the hash without having to store the salt and algorithm information separately.

S
Stalker_RED, 2018-02-14
@Stalker_RED

Yes. Therefore, you can immediately specify PASSWORD_BCRYPT, or sometime later, when you move, specify (if necessary).

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question