Is safe to use password_hash with unicode characters like following or there are incompatibility problems?
<?php
$hash = password_hash("漢字", PASSWORD_DEFAULT);
?>
Asked
Active
Viewed 588 times
9
Simon H
- 2,495
- 4
- 30
- 38
user5115459
- 145
- 5
-
4Hashes work against bytes, not against characters; so perfectly safe and no compatibility issues – Mark Baker Jul 20 '15 at 08:18
-
@MarkBaker thank you a lot. – user5115459 Jul 20 '15 at 08:32
-
@MarkBaker maybe turn your comment into an answer then. – domsson May 02 '17 at 11:56
1 Answers
4
The hashing algorithms themselves work on bytes, so they are unicode safe, as Mark commented. The only issue might be PHP's handling of unicode strings, i.e. are the password hashing functions binary-safe? Let's test it and find out:
<?php
$pass = 0;
$fail = 0;
# Generate 100 random unicode passwords
for ($i = 0; $i < 100; $i++) {
$password = '';
for ($p = 0; $p < 10; $p++) {
$password .= mt_rand(0xa1, 0xffff);
}
# Test password hashing
$hash = password_hash($password, PASSWORD_DEFAULT);
if (password_verify($password, $hash)) {
$pass++;
} else {
$fail++;
}
}
echo "Pass: $pass\nFail: $fail\n";
Result:
Pass: 100
Fail: 0
The answer to your question is yes, it's safe.
