Search code examples
phpbcryptpassword-hashphp-password-hash

Updating Passwords with PHP

PHP >= 5.5 has the password_hash function to simplify hashing passwords. Normally they recommend something like:

pasword_hash($password,PASSWORD_DEFAULT)

to take advantages of any improvement is future versions. Currently the default algorithm is bcrypt.

The questions are:

  • will stored password hashes be incompatible with a future implementation which uses a different algorithm?
  • if so, is there any way of updating the data?

Thanks

Solution

  • Review the manual here

    The identifier, example being $2y$, identifies which hash was used and therefore allowing compatibility in the future when additional algorithms are added.

    For a hash, the only way to update it should be after the user enters their password, you can recreate the hash using a new algorithm.