1. class
  2. Drupal
  3. \
  4. Core
  5. \
  6. Password
  7. \
  8. PhpassHashedPassword

PhpassHashedPassword

class PhpassHashedPassword implements PasswordInterface (View source)

Secure password hashing functions based on the Portable PHP password hashing framework.

Constants

MIN_HASH_COUNT

The minimum allowed log2 number of iterations for password stretching.
MAX_HASH_COUNT

The maximum allowed log2 number of iterations for password stretching.
HASH_LENGTH

The expected (and maximum) number of characters in a hashed password.

Properties

static string $ITOA64

Returns a string for mapping an int to the corresponding base 64 character.
protected int $countLog2

Specifies the number of times the hashing function will be applied when generating new password hashes. The number of times is calculated by raising 2 to the power of the given value.

Methods

__construct(int $countLog2)

Constructs a new password hashing instance.

string
base64Encode(string $input, int $count)

Encodes bytes into printable base 64 using the *nix standard from crypt().

string
generateSalt()

Generates a random base 64-encoded salt prefixed with hash settings.

int
enforceLog2Boundaries(int $count_log2)

Ensures that $count_log2 is within set bounds.

string
crypt(string $algo, string $password, string $setting)

Hash a password using a secure stretched hash.

int
getCountLog2(string $setting)

Parses the log2 iteration count from a stored hash or setting string.

string
hash(string $password)

Hash a password using a secure hash.

bool
check(string $password, string $hash)

Check whether a plain text password matches a hashed password.

bool
needsRehash(string $hash)

Check whether a hashed password needs to be replaced with a new hash.

Details

at line 52
__construct(int $countLog2)

Constructs a new password hashing instance.

Parameters

int $countLog2

Password stretching iteration count. Specifies the number of times the hashing function will be applied when generating new password hashes. The number of times is calculated by raising 2 to the power of the given value.

at line 68
protected string base64Encode(string $input, int $count)

Encodes bytes into printable base 64 using the *nix standard from crypt().

Parameters

string $input

The string containing bytes to encode.
int $count

The number of characters (bytes) to encode.

Return Value

string

Encoded string.

at line 106
protected string generateSalt()

Generates a random base 64-encoded salt prefixed with hash settings.

Proper use of salts may defeat a number of attacks, including:

  • The ability to try candidate passwords against multiple hashes at once.
  • The ability to use pre-hashed lists of candidate passwords.
  • The ability to determine whether two users have the same (or different) password without actually having to guess one of the passwords.

Return Value

string

A 12 character string containing the iteration count and a random salt.

at line 125
protected int enforceLog2Boundaries(int $count_log2)

Ensures that $count_log2 is within set bounds.

Parameters

int $count_log2

Integer that determines the number of iterations used in the hashing process. A larger value is more secure, but takes more time to complete.

Return Value

int

Integer within set bounds that is closest to $count_log2.

at line 157
protected string crypt(string $algo, string $password, string $setting)

Hash a password using a secure stretched hash.

By using a salt and repeated hashing the password is "stretched". Its security is increased because it becomes much more computationally costly for an attacker to try to break the hash by brute-force computation of the hashes of a large number of plain-text words or strings to find a match.

Parameters

string $algo

The string name of a hashing algorithm usable by hash(), like 'sha256'.
string $password

Plain-text password up to 512 bytes (128 to 512 UTF-8 characters) to hash.
string $setting

An existing hash or the output of $this->generateSalt(). Must be at least 12 characters (the settings and salt).

Return Value

string

A string containing the hashed password (and salt) or FALSE on failure. The return string will be truncated at HASH_LENGTH characters max.

at line 208
int getCountLog2(string $setting)

Parses the log2 iteration count from a stored hash or setting string.

Parameters

string $setting

An existing hash or the output of $this->generateSalt(). Must be at least 12 characters (the settings and salt).

Return Value

int

The log2 iteration count.

at line 215
string hash(string $password)

Hash a password using a secure hash.

Parameters

string $password

A plain-text password.

Return Value

string

A string containing the hashed password, or FALSE on failure.

at line 222
bool check(string $password, string $hash)

Check whether a plain text password matches a hashed password.

Parameters

string $password

A plain-text password
string $hash

A hashed password.

Return Value

bool

TRUE if the password is valid, FALSE if not.

at line 260
bool needsRehash(string $hash)

Check whether a hashed password needs to be replaced with a new hash.

This is typically called during the login process when the plain text password is available. A new hash is needed when the desired iteration count has changed by a modification of the password-service in the dependency injection container or if the user's password hash was generated in an update like user_update_7000() (see the Drupal 7 documentation).

Parameters

string $hash

The existing hash to be checked.

Return Value

bool

TRUE if the hash is outdated and needs rehash.