Is there a list of characters not used to generate the hash in PHP's password_hash()? I'm looking for a quick/cheap way of indicating which proprietary algorythm or standard password_hash() was used to generate the hash and would like to just tag on a single character to the front of the string returned but can't seem to find a list of characters the function doesn't use in the return value.

1 Answers

Geoffrey On

Please see the documentation for password_hash:

The used algorithm, cost and salt are returned as part of the hash. Therefore, all information that's needed to verify the hash is included in it. This allows the password_verify() function to verify the hash without needing separate storage for the salt or algorithm information.

You can use password_get_info to obtain this information from a hash:

If the provided value is an unsupported/unknown hash this function will return:

Array ( 
    [algo] => 0 
    [algoName] => unknown 
    [options] => Array ( )