<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>Derive a key from a password</title> </head> <body><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="function.sodium-crypto-pwhash-str.html">sodium_crypto_pwhash_str</a></div> <div class="next" style="text-align: right; float: right;"><a href="function.sodium-crypto-scalarmult-base.html">sodium_crypto_scalarmult_base</a></div> <div class="up"><a href="ref.sodium.html">Sodium Functions</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div><hr /><div id="function.sodium-crypto-pwhash" class="refentry"> <div class="refnamediv"> <h1 class="refname">sodium_crypto_pwhash</h1> <p class="verinfo">(PHP 7 >= 7.2.0)</p><p class="refpurpose"><span class="refname">sodium_crypto_pwhash</span> — <span class="dc-title">Derive a key from a password</span></p> </div> <div class="refsect1 description" id="refsect1-function.sodium-crypto-pwhash-description"> <h3 class="title">Description</h3> <div class="methodsynopsis dc-description"> <span class="type">string</span> <span class="methodname"><strong>sodium_crypto_pwhash</strong></span> ( <span class="methodparam"><span class="type">int</span> <code class="parameter">$length</code></span> , <span class="methodparam"><span class="type">string</span> <code class="parameter">$password</code></span> , <span class="methodparam"><span class="type">string</span> <code class="parameter">$salt</code></span> , <span class="methodparam"><span class="type">int</span> <code class="parameter">$opslimit</code></span> , <span class="methodparam"><span class="type">int</span> <code class="parameter">$memlimit</code></span> [, <span class="methodparam"><span class="type">int</span> <code class="parameter">$alg</code></span> ] )</div> <p class="para rdfs-comment"> </p> <div class="warning"><strong class="warning">Warning</strong><p class="simpara">This function is currently not documented; only its argument list is available. </p></div> </div> <div class="refsect1 parameters" id="refsect1-function.sodium-crypto-pwhash-parameters"> <h3 class="title">Parameters</h3> <dl> <dt> <code class="parameter">length</code></dt> <dd> <p class="para"> <span class="type"><a href="language.types.integer.html" class="type integer">integer</a></span>; The length of the password hash to generate, in bytes. </p> </dd> <dt> <code class="parameter">password</code></dt> <dd> <p class="para"> <span class="type"><a href="language.types.string.html" class="type string">string</a></span>; The password to generate a hash for. </p> </dd> <dt> <code class="parameter">salt</code></dt> <dd> <p class="para"> <span class="type"><a href="language.types.string.html" class="type string">string</a></span> A salt to add to the password before hashing. The salt should be unpredictable, ideally generated from a good random mumber source such as <span class="function"><a href="function.random-bytes.html" class="function">random_bytes()</a></span>, and have a length of at least <strong><code>SODIUM_CRYPTO_PWHASH_SALTBYTES</code></strong> bytes. </p> </dd> <dt> <code class="parameter">opslimit</code></dt> <dd> <p class="para"> Represents a maximum amount of computations to perform. Raising this number will make the function require more CPU cycles to compute a key. There are some constants available to set the operations limit to appropriate values depending on intended use, in order of strength: <strong><code>SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE</code></strong>, <strong><code>SODIUM_CRYPTO_PWHASH_OPSLIMIT_MODERATE</code></strong> and <strong><code>SODIUM_CRYPTO_PWHASH_OPSLIMIT_SENSITIVE</code></strong>. </p> </dd> <dt> <code class="parameter">memlimit</code></dt> <dd> <p class="para"> The maximum amount of RAM that the function will use, in bytes. There are constants to help you choose an appropriate value, in order of size: <strong><code>SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE</code></strong>, <strong><code>SODIUM_CRYPTO_PWHASH_MEMLIMIT_MODERATE</code></strong>, and <strong><code>SODIUM_CRYPTO_PWHASH_MEMLIMIT_SENSITIVE</code></strong>. Typically these should be paired with the matching opslimit values. </p> </dd> <dt> <code class="parameter">alg</code></dt> <dd> <p class="para"> <span class="type"><a href="language.types.integer.html" class="type integer">integer</a></span> A number indicating the hash algorithm to use. By default <strong><code>SODIUM_CRYPTO_PWHASH_ALG_DEFAULT</code></strong> (the currently recommended algorithm, which can change from one version of libsodium to another), or explicitly using <strong><code>SODIUM_CRYPTO_PWHASH_ALG_ARGON2I13</code></strong>, representing the Argon2id algorithm version 1.3. </p> </dd> </dl> </div> <div class="refsect1 returnvalues" id="refsect1-function.sodium-crypto-pwhash-returnvalues"> <h3 class="title">Return Values</h3> <p class="para"> Returns the hashed password, or <strong><code>FALSE</code></strong> on failure. </p> <p class="para"> The used algorithm, opslimit, memlimit and salt are embedded within the hash, so all information needed to verify the hash is included. This allows the <span class="function"><a href="function.password-verify.html" class="function">password_verify()</a></span> function to verify the hash without needing separate storage for the salt or algorithm information. </p> </div> <div class="refsect1 notes" id="refsect1-function.sodium-crypto-pwhash-notes"> <h3 class="title">Notes</h3> <blockquote class="note"><p><strong class="note">Note</strong>: <p class="para"> It is recommended that you test this function on your servers, and adjust the <code class="parameter">opslimit</code> and <code class="parameter">memlimit</code> parameters so that execution of the function takes less than 100 milliseconds on interactive systems, and also verify that it fits with your PHP memory_limit setting. The constants will help you choose good limits for your hardware. </p> <p class="para"> In order to produce the same password hash from the same password, the same algorithm, the same salt, and the same values for <code class="parameter">opslimit</code> and <code class="parameter">memlimit</code> must to be used. Therefore, these parameters must be stored for each user, or be used consistently for your whole application. </p> </p></blockquote> </div> </div><hr /><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="function.sodium-crypto-pwhash-str.html">sodium_crypto_pwhash_str</a></div> <div class="next" style="text-align: right; float: right;"><a href="function.sodium-crypto-scalarmult-base.html">sodium_crypto_scalarmult_base</a></div> <div class="up"><a href="ref.sodium.html">Sodium Functions</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div></body></html>