The output that I noticed after some data was encrypted by the password_hash()
function is around alphanumeric values and some special characters like $
.
and /
.
Are there any more special characters besides these?
The output that I noticed after some data was encrypted by the password_hash()
function is around alphanumeric values and some special characters like $
.
and /
.
Are there any more special characters besides these?
Read the documentation .
You're seeing salt ( understand more about it ), this part is not part of the hash .
Generally speaking, it does not matter what is being generated. If the software has any limitations on this it is probably wrong.
password_hash()
supports two formats, one for BCrypt and one for Argon2:
In summary, PHP uses, for BCrypt something very close to the MCF:
$<algoritmo>$<custo>$<salt><hash>
The <algoritmo>
is the name of the algorithm and version, the cost is a numerical value, of the computational cost chosen.
<salt>
and <hash>
can have [a-zA-Z0-9./]
, which is just base64, changing +
to .
.
Argon2 follows a similar line, but it is exactly the PHC String Format:
$<algoritmo>$<parametro-versao>$<parametro-custo>$<salt>$<hash>
The <algoritmo>
can use [a-z0-9-]
. Since <parametro-versao>
can have a name using [a-z0-9-]
and its value is a hexadecimal, but the rule can use [a-zA-Z0-9/+.-]
, it is divided by =
, therefore it is v=19
, for example, indicating be "version = 1.3".
<parametro-custo>
can also have a name of [a-z0-9-]
and a value can be represented in [a-zA-Z0-9/+.-]
. Currently it uses the parameters of m
, for memory, t
time, p
of parallelism. Its values are numeric, also dividing by =
, then something like m=1024,t=2,p=2
.
<salt>
and <hash>
are represented by [a-zA-Z0-9/+.-]
.
Finally, it uses a-z
, A-Z
, 0-9
, /
, .
, -
, +
, $
, =
. >