class Pbkdf2HashingStrategy implements PasswordHashingStrategyInterface (View source)

A PBKDF2 based password hashing strategy

Properties

protected $dynamicSaltLength

Length of the dynamic random salt to generate in bytes

protected $iterationCount

Hash iteration count, high counts (>10.000) make brute-force attacks unfeasible

protected $derivedKeyLength

Derived key length

protected $algorithm

Hash algorithm to use, see hash_algos()

Methods

__construct(int $dynamicSaltLength, int $iterationCount, int $derivedKeyLength, string $algorithm)

Construct a PBKDF2 hashing strategy with the given parameters

string
hashPassword(string $password, string|null $staticSalt = null)

Hash a password for storage using PBKDF2 and the configured parameters.

bool
validatePassword(string $password, string $hashedPasswordAndSalt, string|null $staticSalt = null)

Validate a password against a derived key (hashed password) and salt using PBKDF2.

Details

__construct(int $dynamicSaltLength, int $iterationCount, int $derivedKeyLength, string $algorithm)

Construct a PBKDF2 hashing strategy with the given parameters

Parameters

int $dynamicSaltLength

Length of the dynamic random salt to generate in bytes

int $iterationCount

Hash iteration count, high counts (>10.000) make brute-force attacks unfeasible

int $derivedKeyLength

Derived key length

string $algorithm

Hash algorithm to use, see hash_algos()

string hashPassword(string $password, string|null $staticSalt = null)

Hash a password for storage using PBKDF2 and the configured parameters.

Will use a combination of a random dynamic salt and the given static salt.

Parameters

string $password

Cleartext password that will be hashed

string|null $staticSalt

Optional static salt that will not be stored in the hashed password

Return Value

string

The hashed password with dynamic salt (if used)

bool validatePassword(string $password, string $hashedPasswordAndSalt, string|null $staticSalt = null)

Validate a password against a derived key (hashed password) and salt using PBKDF2.

Iteration count and algorithm have to match the parameters when generating the derived key.

Parameters

string $password
string $hashedPasswordAndSalt

Hashed password with dynamic salt (if used)

string|null $staticSalt

Optional static salt that will not be stored in the hashed password

Return Value

bool

true if the given cleartext password matched the hashed password

Exceptions

InvalidArgumentException