<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Derive a key from a password</title>
</head>
<body><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="function.sodium-crypto-pwhash-str.html">sodium_crypto_pwhash_str</a></div>
<div class="next" style="text-align: right; float: right;"><a href="function.sodium-crypto-scalarmult-base.html">sodium_crypto_scalarmult_base</a></div>
<div class="up"><a href="ref.sodium.html">Sodium Functions</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div><hr /><div id="function.sodium-crypto-pwhash" class="refentry">
<div class="refnamediv">
<h1 class="refname">sodium_crypto_pwhash</h1>
<p class="verinfo">(PHP 7 >= 7.2.0)</p><p class="refpurpose"><span class="refname">sodium_crypto_pwhash</span> — <span class="dc-title">Derive a key from a password</span></p>
</div>
<div class="refsect1 description" id="refsect1-function.sodium-crypto-pwhash-description">
<h3 class="title">Description</h3>
<div class="methodsynopsis dc-description">
<span class="type">string</span> <span class="methodname"><strong>sodium_crypto_pwhash</strong></span>
( <span class="methodparam"><span class="type">int</span> <code class="parameter">$length</code></span>
, <span class="methodparam"><span class="type">string</span> <code class="parameter">$password</code></span>
, <span class="methodparam"><span class="type">string</span> <code class="parameter">$salt</code></span>
, <span class="methodparam"><span class="type">int</span> <code class="parameter">$opslimit</code></span>
, <span class="methodparam"><span class="type">int</span> <code class="parameter">$memlimit</code></span>
[, <span class="methodparam"><span class="type">int</span> <code class="parameter">$alg</code></span>
] )</div>
<p class="para rdfs-comment">
</p>
<div class="warning"><strong class="warning">Warning</strong><p class="simpara">This function is
currently not documented; only its argument list is available.
</p></div>
</div>
<div class="refsect1 parameters" id="refsect1-function.sodium-crypto-pwhash-parameters">
<h3 class="title">Parameters</h3>
<dl>
<dt>
<code class="parameter">length</code></dt>
<dd>
<p class="para">
<span class="type"><a href="language.types.integer.html" class="type integer">integer</a></span>; The length of the password hash to generate, in bytes.
</p>
</dd>
<dt>
<code class="parameter">password</code></dt>
<dd>
<p class="para">
<span class="type"><a href="language.types.string.html" class="type string">string</a></span>; The password to generate a hash for.
</p>
</dd>
<dt>
<code class="parameter">salt</code></dt>
<dd>
<p class="para">
<span class="type"><a href="language.types.string.html" class="type string">string</a></span> A salt to add to the password before hashing. The salt should be unpredictable, ideally generated from a good random mumber source such as <span class="function"><a href="function.random-bytes.html" class="function">random_bytes()</a></span>, and have a length of at least <strong><code>SODIUM_CRYPTO_PWHASH_SALTBYTES</code></strong> bytes.
</p>
</dd>
<dt>
<code class="parameter">opslimit</code></dt>
<dd>
<p class="para">
Represents a maximum amount of computations to perform. Raising this number will make the function require more CPU cycles to compute a key. There are some constants available to set the operations limit to appropriate values depending on intended use, in order of strength: <strong><code>SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE</code></strong>, <strong><code>SODIUM_CRYPTO_PWHASH_OPSLIMIT_MODERATE</code></strong> and <strong><code>SODIUM_CRYPTO_PWHASH_OPSLIMIT_SENSITIVE</code></strong>.
</p>
</dd>
<dt>
<code class="parameter">memlimit</code></dt>
<dd>
<p class="para">
The maximum amount of RAM that the function will use, in bytes. There are constants to help you choose an appropriate value, in order of size: <strong><code>SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE</code></strong>, <strong><code>SODIUM_CRYPTO_PWHASH_MEMLIMIT_MODERATE</code></strong>, and <strong><code>SODIUM_CRYPTO_PWHASH_MEMLIMIT_SENSITIVE</code></strong>. Typically these should be paired with the matching opslimit values.
</p>
</dd>
<dt>
<code class="parameter">alg</code></dt>
<dd>
<p class="para">
<span class="type"><a href="language.types.integer.html" class="type integer">integer</a></span> A number indicating the hash algorithm to use. By default <strong><code>SODIUM_CRYPTO_PWHASH_ALG_DEFAULT</code></strong> (the currently recommended algorithm, which can change from one version of libsodium to another), or explicitly using <strong><code>SODIUM_CRYPTO_PWHASH_ALG_ARGON2I13</code></strong>, representing the Argon2id algorithm version 1.3.
</p>
</dd>
</dl>
</div>
<div class="refsect1 returnvalues" id="refsect1-function.sodium-crypto-pwhash-returnvalues">
<h3 class="title">Return Values</h3>
<p class="para">
Returns the hashed password, or <strong><code>FALSE</code></strong> on failure.
</p>
<p class="para">
The used algorithm, opslimit, memlimit and salt are embedded within the hash, so
all information needed to verify the hash is included. This allows
the <span class="function"><a href="function.password-verify.html" class="function">password_verify()</a></span> function to verify the hash without
needing separate storage for the salt or algorithm information.
</p>
</div>
<div class="refsect1 notes" id="refsect1-function.sodium-crypto-pwhash-notes">
<h3 class="title">Notes</h3>
<blockquote class="note"><p><strong class="note">Note</strong>:
<p class="para">
It is recommended that you test this function on your servers, and adjust the <code class="parameter">opslimit</code> and <code class="parameter">memlimit</code> parameters
so that execution of the function takes less than 100 milliseconds on interactive systems, and also verify that it fits with your PHP memory_limit setting.
The constants will help you choose good limits for your hardware.
</p>
<p class="para">
In order to produce the same password hash from the same password, the same algorithm, the same salt, and the same values for <code class="parameter">opslimit</code> and <code class="parameter">memlimit</code> must to be used. Therefore, these parameters must be stored for each user, or be used consistently for your whole application.
</p>
</p></blockquote>
</div>
</div><hr /><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="function.sodium-crypto-pwhash-str.html">sodium_crypto_pwhash_str</a></div>
<div class="next" style="text-align: right; float: right;"><a href="function.sodium-crypto-scalarmult-base.html">sodium_crypto_scalarmult_base</a></div>
<div class="up"><a href="ref.sodium.html">Sodium Functions</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div></body></html>
