Security

Deprecate Salt Option of password_hash()

Storing passwords in plain text is a deadly sin, as we all know. Luckily, since PHP 5.5, PHP offers a built-in function that can hash passwords in a cryptographically secure fashion.

The password_hash() function supports different hashing algorithms. Today, the password hashing algorithm of choice should probably be Argon2, the winner of the 2015 Password Hashing Competition.

In case you are still using bcrypt, which is far more susceptible for attacks using custom hardware, you should know that passing an explicit salt has now been deprecated:

var_dump(
    password_hash(
        'the-password',
        PASSWORD_BCRYPT,
        [
            'salt' => '......................'
        ]
    )
);

In case you are wondering: the salt needs to be 22 characters long, any shorter string will give you a PHP warning. It should also be mentioned that the salt option only exists when choosing the bcrypt hasing algorithm, so you will not see the following deprecation message when using another hashing algorithm:

PHP Deprecated:
password_hash(): Use of the 'salt' option to password_hash
is deprecated in ...
string(60) "$2y$10$......................cCWKGSAtmf2xuh1BkZzNY1VbDi0.dk."