The password_hash
supports BCrypt and Argon2i (in PHP 7.2). MD5 was never assigned to passwords. Also since 1994 it could already be considered broken, nowadays it is not recommended for anything, but that's not the issue here.
For you to use password_verify
it is preferable that you use a password that is compatible with BCrypt (or Argon2i for PHP 7.2), you can use:
-
For BCrypt:
password_hash($senha, PASSWORD_BCRYPT);
-
For Argon2i:
password_hash($senha, PASSWORD_ARGON2I);
/! \ Caution:
The password_hash
does not remove the nulls and will stop on them, so this is broken:
// Não utilize o código abaixo em produção, existem erros intencionais:
$_POST['senha'] = "a\x00bc";
// Nota: Existe um nulo após o 'a', isso pode ser enviado usando '%00' pelo usuário!
$hash = password_hash($_POST['senha'], PASSWORD_BCRYPT);
if(strlen($_POST['senha']) >= 3 && strlen($_POST['senha']) < 70){
if( password_verify('a', $hash)){
echo 'Igual';
}
}
Try this.
Result: Igual
, yes a
equals a\x00bc
. >: D
If you do not want to use BCrypt / Agon2i, not everything is lost, you can use PBKDF2
, for example:
$senha = '12345678';
$salt = random_bytes(16);
$iteracoes = 150000;
$hash = hash_pbkdf2('sha3-512', $senha, $salt, $iteracoes);
To check, just do hash_equals($senha, $hash)
. Never do $senha === $hash
let alone $senha == $hash
, obviously. It is not considered better than BCrypt and not much better than Argon2i, some say it is the "worst of recommended methods", being used "when there is nothing better".