PHP - What password hash is this?

lubblig · October 20, 2016

I've got this PHP code to generate a password hash,

$hash = password_hash($input_password, PASSWORD_DEFAULT, ['cost' => 10]);

But I'm having troubles finding what type of password hash is used. I've tried googling it but without finding what it is (might just be me using bad search terms).

I'm assuming it's not MD5 or SHA1 since that's not considered safe anymore but I want to be sure and I want to know what's actually being used, so if anyone could tell me (and preferably link to a source that tells me what's being used), I would really appreciate that!

Thanks!

Mr_KoKa · October 20, 2016

Quote

PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).

Always check PHP docs. http://php.net/manual/en/function.password-hash.php

Nineshadow · October 20, 2016

Quote

PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).

Oh, @Mr_KoKa beat me to it.

lubblig · October 20, 2016

1 minute ago, Mr_KoKa said:

I found that, but I didn't think bcrypt was an hashing "type", just an algorithm generating it. So is bcrypt similar to what sha1/sha256 is (but better/safer)?

2FA · October 20, 2016

17 minutes ago, lubblig said:

I found that, but I didn't think bcrypt was an hashing "type", just an algorithm generating it. So is bcrypt similar to what sha1/sha256 is (but better/safer)?

Hashing "types" as you call them are just different algorithms.

I would say bcrypt is on par with SHA2 families as unlike SHA which is hash based, bcrypt uses Blowfish which uses a cipher. You can also change how many iterations bcrypt will go through before outputting the final hash up to a total of 31 iterations which is exponential. 14 iterations is similar to SHA-256 so being able to increase the algorithm exponentially helps deal with the exponential growth of computer processing speeds.