Just before using password_hash(), I check if PASSWORD_DEFAULT === PASSWORD_BCRYPT to see if I need to do some cleanup on the password before it's hashed (Argon2 won't need this).
I'm simply passing it though a quick hash first, because bcrypt has an issue with NULL characters, and passwords longer than 72 characters (more info, and a different example).
But in PHP 7.4, the constant PASSWORD_DEFAULT is now set to NULL.
So how can I tell what algorithm password_hash() will use?
Edit
As of PHP 7.4.3 you can continue using PASSWORD_DEFAULT === PASSWORD_BCRYPT
You don't actually have to use password_hash twice. A better and faster way is to provide an already hashed value with Bcrypt and check it against PASSWORD_DEFAULT with
password_needs_rehash function to see if the default algo has changed or not.
bcrypt algorithm is the default as of PHP 5.5.0
So for example:
$hash = '$2y$10$ra4VedcLU8bv3jR0AlpEau3AZevkQz4Utm7F8EqUNE0Jqx0s772NG'; // Bcrypt hash
// if it doesn't need rehash then the default algo is absolutely Bcrypt
if (! password_needs_rehash($hash, PASSWORD_DEFAULT)) {
// do some clean up
}
Note: make sure that the hash value($hash) has the same cost provided in
password_needs_rehash's third parameter, otherwise it will consider the hash outdated and need rehash since the cost has changed.