CODEWITHSUNDEEP
phppassword-hashphp-7.4
Craig Francis
Craig Francis

Reputation: 1935

Identifying what PASSWORD_DEFAULT will be in PHP 7.4

Just before using password_hash(), I check if PASSWORD_DEFAULT === PASSWORD_BCRYPT to see if I need to do some cleanup on the password before it's hashed (Argon2 won't need this).

I'm simply passing it though a quick hash first, because bcrypt has an issue with NULL characters, and passwords longer than 72 characters (more info, and a different example).

But in PHP 7.4, the constant PASSWORD_DEFAULT is now set to NULL.

So how can I tell what algorithm password_hash() will use?

Upvotes: 1

Views: 2548

Answers (2)

Rain
Rain

Reputation: 3936

Edit

As of PHP 7.4.3 you can continue using PASSWORD_DEFAULT === PASSWORD_BCRYPT

https://3v4l.org/nN4Qi

You don't actually have to use password_hash twice. A better and faster way is to provide an already hashed value with Bcrypt and check it against PASSWORD_DEFAULT with password_needs_rehash function to see if the default algo has changed or not.

bcrypt algorithm is the default as of PHP 5.5.0

So for example:

$hash = '$2y$10$ra4VedcLU8bv3jR0AlpEau3AZevkQz4Utm7F8EqUNE0Jqx0s772NG'; // Bcrypt hash

// if it doesn't need rehash then the default algo is absolutely Bcrypt
if (! password_needs_rehash($hash, PASSWORD_DEFAULT)) {
    // do some clean up
}

Note: make sure that the hash value($hash) has the same cost provided in password_needs_rehash's third parameter, otherwise it will consider the hash outdated and need rehash since the cost has changed.

Upvotes: 0

Dharman
Dharman

Reputation: 33400

This is an interesting problem, for which I believe there is no standard function yet. This is not a huge problem because the hash itself contains an identifier telling us which hash algorithm was used. The important thing to note here is that PASSWORD_DEFAULT is a constant. Constants do not change.

To figure out which algorithm is used when using the default constant (which was and still is bcrypt), you need to generate some dummy hash and look at the beginning of it. We can even use a nice helper function password_get_info()

$hashInfo = password_get_info(password_hash('pass', PASSWORD_DEFAULT, [ 'cost' => 4 ] ));
echo $hashInfo['algo']; // should return either 1 or 2y

if($hashInfo['algo'] === PASSWORD_BCRYPT) {
    // will be true for PHP <= 7.4
}

Upvotes: 2

Related Questions