7

What is the best way to hash a password? I know a way that does a good job, but I was wondering if there is an even better way to hash passwords in PHP 7+ then password_hash(). Is password_hash good enough?

<?php
password_hash('PASSWORD HERE', PASSWORD_DEFAULT);
?>
JJJ
  • 32,902
  • 20
  • 89
  • 102
  • Yes it is the best you can do with PHP and it will be adapted to future requirements (the algorithm can be exchanged). – martinstoeckli Nov 30 '17 at 11:49
  • 1
    That isn't a duplicate, I have reopened the question. As of PHP 7.2, [Argon2](https://wiki.php.net/rfc/argon2_password_hash) is now implemented in that version of PHP and offers a more robust hashing method. – Funk Forty Niner Nov 30 '17 at 12:37
  • 1
    Someone just voted to close the question again with the duplicate they say it is. The OP is specifically asking if there is a better way. The duplicate does not cover this (on [Argon2](https://wiki.php.net/rfc/argon2_password_hash)). Please don't flag it as such and remove the flag for it please. This is a specific question and to PHP 7+. Edit (ping) @RC. – Funk Forty Niner Nov 30 '17 at 12:53
  • 1
    If an answer solved your problem, consider accepting the answer. Here's how http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work then return here and do the same with the tick/checkmark till it turns green. This informs the community, a solution was found. Otherwise, others may think the question is still open and may want to post (more) answers. You'll earn points and others will be encouraged to help you. *Welcome to Stack!* – Jay Blanchard Nov 30 '17 at 13:46
  • @RC. I'm just saying that the original duplicate seems to have come from you. If I'm wrong, then I apologize. I saw your (member) name as being the first on the list, that's why. If you look at my above comment, this question is a specific one and the duplicates including the links you posted in comments do not make any mention to Argon2, which is why I decided to reopen the question in order to cover the entire question and not just the one part. I feel that it will serve as a good canonical Q&A for servers having PHP 7.2 installed. – Funk Forty Niner Nov 30 '17 at 14:44
  • Again I've **one** vote, not six. I will remove my comments from here and stop @ me, thanks. –  Nov 30 '17 at 14:55
  • @JayBlanchard - I know how to use StackOverFlow. I just checked it today after posting a day or 2 ago. I marked the best answer. Thanks for the details –  Dec 01 '17 at 00:24

1 Answers1

7

"I was wondering if there is an even better way to hash passwords in PHP 7+ then password_hash. Is password_hash good enough?"

Yes it is safe enough, and yes there is a better/safer way. As of PHP 7.2, Argon2 is part of a newly implemented (hashing) method that won the Password Hashing Competition which offers a more robust method, should you want to upgrade your version of PHP to 7.2.

The wiki on this states:

Argon2, the recommended password hashing algorithm by the Password Hashing Competition, is a modern algorithm for securely hashing passwords. Argon2 addresses several key downsides of existing algorithms in that it is designed for the highest memory filling rate, and effective use multiple computing units while still providing defense against tradeoff attacks. Unlike Bcrypt, which just takes a single cost factor, Argon2 is parameterized by three distinct factors:

  1. A memory cost that defines memory usage of the algorithm
  2. A time cost that defines the execution time of the algorithm and the number of iterations
  3. And a parallelism factor, which defines the number of parallel threads

You can also look into the following link which contains more information on Libsodium https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016

The manual on http://php.net/manual/en/function.password-hash.php also contains information on PASSWORD_ARGON2I.

The changelog states:

7.2.0 Support for Argon2 passwords using PASSWORD_ARGON2I was added.

If upgrading to PHP 7.2 is not an option, then you could increase the "cost".

Pulled from this answer and from the related post Generating Password Hash In PHP 5.5 And Setting Cost Option, and I quote:

Increasing the cost parameter by 1, doubles the needed time to calculate the hash value. The cost parameter is the logarithm (base-2) of the iteration count, that means:

$iterations = 2 ^ $cost;

You can also consult this other Q&A here on Stack Overflow:

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • 1
    Side note: I feel the post will serve as a canonical Q&A for those who are seeking a more robust hashing method for servers having PHP 7.2 installed, as well as for those who are not (yet) aware of this newly implemented (hashing) method (in PHP 7.2). – Funk Forty Niner Nov 30 '17 at 13:25
  • 2
    The default algorithm will change over time, so sticking with the `PASSWORD_DEFAULT` parameter could be a bit more future proof (there is so much unmaintained code still running...). But it's good to know that Argon2 finally made it into the PHP API. – martinstoeckli Nov 30 '17 at 16:48
  • Indeed @martinstoeckli and TBH, I only got wind of Argon2 a month or so ago. It's quite an interesting (new) method that was added/implemented into PHP 7.2.0. – Funk Forty Niner Nov 30 '17 at 16:50