The php Function Password_Hash and Password_Verify

Password hashing is a critical part of securing an application from attackers who may be able to crack passwords through rainbow tables or dictionary attacks. Fortunately, the php function password_hash makes it easy to hash a user's password and store the result in a secure manner.

The password_hash function accepts two arguments: a string value that will be hashed and an algorithm to use. The default is bcrypt, but you can also choose a different algo by specifying the option PASSWORD_BCRYPT, PASSWORD_ARGON2I, or PASSWORD_ARGON2ID.

Once the hash is created, it's stored in a secure database. Then, when a user authenticates, you can verify that the submitted password matches the stored hash. This prevents a breach from gaining access to the users' real password and is much safer than simply comparing the string values using the equals sign, which could be subject to timing attacks.

The php function password_verify takes the plain-text password as the first argument and the hash that was stored in the database as the second. The function uses information about the hashing algorithm and cost factors that was used to create the hash to compare it with the passed password. It returns a boolean value, indicating whether the passwords match or not. Since this function uses constant time, it is safe against timing attacks. The resulting boolean can then be used to determine the correct action to take, such as displaying a login failure message or redirecting the user to an error page.

Andreas Behr - CTO of DesertCoderz
You are a developer and looking for Shopware projects?
Apply Now!

password_hash example

$minPasswordLength,
            $minLengthConstraints,
            true,
            'short',
        ];

        yield 'success with algorithm password' => [
            PasswordField::FOR_ADMIN,
            $minPasswordLength,
            $minLengthConstraints,
            false,
            password_hash('over8characters', \PASSWORD_DEFAULT),
        ];
    }
}
throw new \InvalidArgumentException(sprintf('The password length cannot be shorter than %d characters.', $minPasswordLength));
        }

        $password = $password ?? Random::getAlphanumericString(max($minPasswordLength, 8));

        $userPayload = [
            'id' => Uuid::randomBytes(),
            'first_name' => $additionalData['firstName'] ?? '',
            'last_name' => $additionalData['lastName'] ?? $username,
            'email' => $additionalData['email'] ?? 'info@shopware.com',
            'username' => $username,
            'password' => password_hash($password, \PASSWORD_BCRYPT),
            'locale_id' => $additionalData['localeId'] ?? $this->getLocaleOfSystemLanguage(),
            'active' => true,
            'admin' => $additionalData['admin'] ?? true,
            'created_at' => (new \DateTime())->format(Defaults::STORAGE_DATE_TIME_FORMAT),
        ];

        $this->connection->insert('user', $userPayload);

        return $password;
    }

    
$array = iterator_to_array($x);
        } catch (WriteConstraintViolationException $exception) {
        }

        static::assertIsNotArray($array);
        static::assertInstanceOf(WriteConstraintViolationException::class$exception);
        static::assertNotNull($exception->getViolations()->findByCodes(NotBlank::IS_BLANK_ERROR));
    }

    public function testAlreadyEncodedValueIsPassedThrough(): void
    {
        $password = password_hash('shopware', \PASSWORD_DEFAULT);

        $field = new PasswordField('password', 'password');
        $existence = new EntityExistence($this->getContainer()->get(UserDefinition::class)->getEntityName()[], false, false, false, []);
        $kvPair = new KeyValuePair('password', $password, true);

        $passwordFieldHandler = new PasswordFieldSerializer(
            $this->getContainer()->get(ValidatorInterface::class),
            $this->getContainer()->get(DefinitionInstanceRegistry::class),
            $this->getContainer()->get(SystemConfigService::class)
        );

        
return (int) $localeId;
    }

    /** * @param string $password * * @return string */
    private function saltPassword($password)
    {
        return password_hash($password, PASSWORD_BCRYPT);
    }
}

        return password_verify($password$hash);
    }

    /** * @param string $password * * @return string */
    public function encodePassword($password)
    {
        $hash = password_hash($password, PASSWORD_BCRYPT, $this->options);

        if (!\is_string($hash)) {
            throw new DomainException(sprintf('Password could not be encoded by the encoder %s.', $this->getName()));
        }

        return $hash;
    }

    /** * @param string $hash * * @return bool */
public function authorizeBrowserWithIntegrationForApp(KernelBrowser $browser, string $appId): void
    {
        $accessKey = AccessKeyHelper::generateAccessKey('integration');
        $secretAccessKey = AccessKeyHelper::generateSecretAccessKey();
        $id = Uuid::fromHexToBytes($this->appRepo->search(new Criteria([$appId]), Context::createDefaultContext())->first()->getIntegrationId());

        $connection = $browser->getContainer()->get(Connection::class);

        $connection->update('integration', [
            'access_key' => $accessKey,
            'secret_access_key' => password_hash($secretAccessKey, \PASSWORD_BCRYPT),
        ]['id' => $id]);

        $this->apiIntegrations[] = $id;

        $authPayload = [
            'grant_type' => 'client_credentials',
            'client_id' => $accessKey,
            'client_secret' => $secretAccessKey,
        ];

        $browser->request('POST', '/api/oauth/token', $authPayload);
        
public function hash(#[\SensitiveParameter] string $plainPassword): string     {
        if ($this->isPasswordTooLong($plainPassword)) {
            throw new InvalidPasswordException();
        }

        if (\PASSWORD_BCRYPT === $this->algorithm && (72 < \strlen($plainPassword) || str_contains($plainPassword, "\0"))) {
            $plainPassword = base64_encode(hash('sha512', $plainPassword, true));
        }

        return password_hash($plainPassword$this->algorithm, $this->options);
    }

    public function verify(string $hashedPassword, #[\SensitiveParameter] string $plainPassword): bool     {
        if ('' === $plainPassword || $this->isPasswordTooLong($plainPassword)) {
            return false;
        }

        if (!str_starts_with($hashedPassword, '$argon')) {
            // Bcrypt cuts on NUL chars and after 72 bytes             if (str_starts_with($hashedPassword, '$2') && (72 < \strlen($plainPassword) || str_contains($plainPassword, "\0"))) {
                
$hasher = new SodiumPasswordHasher();
        $result = $hasher->hash(str_repeat('a', 4096), null);
        $this->assertFalse($hasher->verify($resultstr_repeat('a', 4097), null));
        $this->assertTrue($hasher->verify($resultstr_repeat('a', 4096), null));
    }

    public function testBcryptWithLongPassword()
    {
        $hasher = new SodiumPasswordHasher(null, null, 4);
        $plainPassword = str_repeat('a', 100);

        $this->assertFalse($hasher->verify(password_hash($plainPassword, \PASSWORD_BCRYPT, ['cost' => 4])$plainPassword, 'salt'));
        $this->assertTrue($hasher->verify((new NativePasswordHasher(null, null, 4, \PASSWORD_BCRYPT))->hash($plainPassword)$plainPassword, 'salt'));
    }

    public function testBcryptWithNulByte()
    {
        $hasher = new SodiumPasswordHasher(null, null, 4);
        $plainPassword = "a\0b";

        $this->assertFalse($hasher->verify(password_hash($plainPassword, \PASSWORD_BCRYPT, ['cost' => 4])$plainPassword, 'salt'));
        $this->assertTrue($hasher->verify((new NativePasswordHasher(null, null, 4, \PASSWORD_BCRYPT))->hash($plainPassword)$plainPassword, 'salt'));
    }

    
return $locale->getId();
    }

    private function createUser(string $userId): void
    {
        $this->getContainer()->get(Connection::class)->insert('user', [
            'id' => Uuid::fromHexToBytes($userId),
            'first_name' => 'test',
            'last_name' => '',
            'email' => 'test@example.com',
            'username' => 'userTest',
            'password' => password_hash('123456', \PASSWORD_BCRYPT),
            'locale_id' => Uuid::fromHexToBytes($this->getLocaleIdOfSystemLanguage()),
            'active' => 1,
            'admin' => 1,
            'created_at' => (new \DateTime())->format(Defaults::STORAGE_DATE_TIME_FORMAT),
        ]);
    }

    /** * @param array<string> $privileges */
    private function createAclRole(string $aclRoleId, array $privileges): void
    {
$hasher = new NativePasswordHasher(null, null, null, '1');
        $result = $hasher->hash('password', null);
        $this->assertTrue($hasher->verify($result, 'password', null));
        $this->assertStringStartsWith('$2', $result);
    }

    public function testBcryptWithLongPassword()
    {
        $hasher = new NativePasswordHasher(null, null, 4, \PASSWORD_BCRYPT);
        $plainPassword = str_repeat('a', 100);

        $this->assertFalse($hasher->verify(password_hash($plainPassword, \PASSWORD_BCRYPT, ['cost' => 4])$plainPassword, 'salt'));
        $this->assertTrue($hasher->verify($hasher->hash($plainPassword)$plainPassword, 'salt'));
    }

    public function testBcryptWithNulByte()
    {
        $hasher = new NativePasswordHasher(null, null, 4, \PASSWORD_BCRYPT);
        $plainPassword = "a\0b";

        $this->assertFalse($hasher->verify(password_hash($plainPassword, \PASSWORD_BCRYPT, ['cost' => 4])$plainPassword, 'salt'));
        $this->assertTrue($hasher->verify($hasher->hash($plainPassword)$plainPassword, 'salt'));
    }

    

        return password_verify($password$hash);
    }

    /** * @param string $password * * @return string */
    public function encodePassword($password)
    {
        $hash = password_hash($password, PASSWORD_ARGON2ID, $this->options);

        if (!\is_string($hash)) {
            throw new DomainException(sprintf('Password could not be encoded by the encoder %s.', $this->getName()));
        }

        return $hash;
    }

    /** * @param string $hash * * @return bool */
throw DataAbstractionLayerException::invalidSerializerField(PasswordField::class$field);
        }

        $this->validateIfNeeded($field$existence$data$parameters);

        $value = $data->getValue();
        if ($value) {
            $info = password_get_info($value);
            // if no password algorithm is detected, it might be plain text which needs to be encoded.             // otherwise, passthrough the possibly encoded string             if (!$info['algo']) {
                $value = password_hash((string) $value$field->getAlgorithm()$field->getHashOptions());
            }
        }

        yield $field->getStorageName() => $value;
    }

    public function decode(Field $field, mixed $value): ?string
    {
        return $value;
    }

    
/** * @dataProvider validateClientDataProvider * * @param string $clientIdentifier */
    public function testValidateClient(string $grantType$clientIdentifier, string $clientSecret, bool $expectedResult): void
    {
        $this->connection->method('fetchAssociative')->willReturnCallback(function D) use ($clientIdentifier$clientSecret) {
            if ($clientIdentifier === 'SWUAADMIN' && $clientSecret === 'shopware') {
                return [
                    'secret_access_key' => password_hash($clientSecret, \PASSWORD_BCRYPT),
                ];
            }

            return false;
        });

        $result = $this->clientRepository->validateClient($clientIdentifier$clientSecret$grantType);
        static::assertSame($expectedResult$result);
    }

    /** * @dataProvider getClientEntityDataProvider */


  /** * {@inheritdoc} */
  public function hash(#[\SensitiveParameter] $password) {     // Prevent DoS attacks by refusing to hash large passwords.     if (strlen($password) > static::PASSWORD_MAX_LENGTH) {
      return FALSE;
    }

    return password_hash($password$this->algorithm, $this->options);
  }

  /** * {@inheritdoc} */
  public function check(#[\SensitiveParameter] $password, #[\SensitiveParameter] $hash) {     // Prevent DoS attacks by refusing to check large passwords.     if (strlen($password) > static::PASSWORD_MAX_LENGTH) {
      return FALSE;
    }

    

        return password_verify($password$hash);
    }

    /** * @param string $password * * @return string */
    public function encodePassword($password)
    {
        $hash = password_hash($password, PASSWORD_ARGON2I, $this->options);

        if (!\is_string($hash)) {
            throw new DomainException(sprintf('Password could not be encoded by the encoder %s.', PASSWORD_ARGON2I));
        }

        return $hash;
    }

    /** * @param string $hash * * @return bool */
Home | Imprint | This part of the site doesn't use cookies.