array ( 0 => 'index.php', 1 => 'PHP Manual', ), 'head' => array ( 0 => 'UTF-8', 1 => 'en', ), 'this' => array ( 0 => 'password.constants.php', 1 => 'Predefined Constants', 2 => 'Predefined Constants', ), 'up' => array ( 0 => 'book.password.php', 1 => 'Password Hashing', ), 'prev' => array ( 0 => 'password.installation.php', 1 => 'Installation', ), 'next' => array ( 0 => 'ref.password.php', 1 => 'Password Hashing Functions', ), 'alternatives' => array ( ), 'source' => array ( 'lang' => 'en', 'path' => 'reference/password/constants.xml', ), 'history' => array ( ), ); $setup["toc"] = $TOC; $setup["toc_deprecated"] = $TOC_DEPRECATED; $setup["parents"] = $PARENTS; manual_setup($setup); contributors($setup); ?>

Predefined Constants

The constants below are always available as part of the PHP core.

PASSWORD_BCRYPT (string)

PASSWORD_BCRYPT is used to create new password hashes using the CRYPT_BLOWFISH algorithm.

This will always result in a hash using the "$2y$" crypt format, which is always 60 characters wide.

Supported Options:

  • salt (string) - to manually provide a salt to use when hashing the password. Note that this will override and prevent a salt from being automatically generated.

    If omitted, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation and as of PHP 7.0.0 the salt option has been deprecated.

  • cost (int) - which denotes the algorithmic cost that should be used. Examples of these values can be found on the crypt() page.

    If omitted, a default value of 12 will be used. This is a good baseline cost, but you may want to consider increasing it depending on your hardware.

PASSWORD_BCRYPT_DEFAULT_COST (int)

PASSWORD_ARGON2I (string)

PASSWORD_ARGON2I is used to create new password hashes using the Argon2i algorithm.

Supported Options:

Available as of PHP 7.2.0.

PASSWORD_ARGON2ID (string)

PASSWORD_ARGON2ID is used to create new password hashes using the Argon2id algorithm. It supports the same options as PASSWORD_ARGON2I.

Available as of PHP 7.3.0.

PASSWORD_ARGON2_DEFAULT_MEMORY_COST (int)

Default amount of memory in bytes that will be used while trying to compute a hash.

Available as of PHP 7.2.0.

PASSWORD_ARGON2_DEFAULT_TIME_COST (int)

Default amount of time that will be spent trying to compute a hash.

Available as of PHP 7.2.0.

PASSWORD_ARGON2_DEFAULT_THREADS (int)

Default number of threads that Argon2lib will use. Not available with libsodium implementation.

Available as of PHP 7.2.0.

PASSWORD_ARGON2_PROVIDER (string)

Available as of PHP 7.4.0.

PASSWORD_DEFAULT (string)

The default algorithm to use for hashing if no algorithm is provided. This may change in newer PHP releases when newer, stronger hashing algorithms are supported.

It is worth noting that over time this constant can change. It is thus important to be aware that the length of the resulting hash can change. Therefore, when using PASSWORD_DEFAULT the resulting hash must be stored in a way that can store arbitrary hashes, the recommended width is 255 bytes.

Currently is an alias for PASSWORD_BCRYPT.

Changelog

Version Description
7.4.0 The values of the password algo IDs (PASSWORD_BCRYPT, PASSWORD_ARGON2I, PASSWORD_ARGON2ID and PASSWORD_DEFAULT) are now strings. Previously, they have been ints.