This class as an adapted code taken from http://crackstation.net/hashing-security.htm and you should refer to that great article about password hashing.

Some of the features include:

  • Long auto-generated random salts for every hashed password.
  • Same password hashed twice will have completely different hashes.
  • Hashing algorithm can be changed at any time and will not break previously hashed passwords.
  • Slow hash functions to make brute force attacks a little bit less convenient.
  • Doesn't use "wacky" hash functions, e.g. sha1(md5($password) . sha1($password)).

Once again, please refer to the great article about password hashing and bear in mind that this is only an adaptation of the code found there (rewritten into a class).

Usage example:

 $hasher = new \MD\Foundation\Crypto\Hasher();
 $hash = $hasher->hash('pa$$word');
 echo $hash;
 // -> 'sha256:1000:lGWhVGUVxQArXgfOckPmJCVZD0l0cYPT:9UMoX8p10AgI7wd1bkvqjuRzTSXv6YF7'

 echo $hasher->validate('notmypassword', $hash);
 // -> false
 echo $hasher->validate('pa$$word', $hash);
 // -> true

A general rule is that you should store the full generated hash, but if you want to store the hash in an external place (like a browser cookie) then just use the last part of the generated hash (after last :) because otherwise you will give an attacker all information they need to crack it.

This class should be used especially by people not on PHP 5.5 yet.

Constants This class defines the following constants:

Hasher::HASH_SECTIONS
Hasher::HASH_ALGORITHM_INDEX
Hasher::HASH_ITERATION_INDEX
Hasher::HASH_SALT_INDEX
Hasher::HASH_PBKDF2_INDEX

Methods This class defines the following methods:

__construct (string $algorithm = 'sha256', int $iterations = 1000, int $saltByteSize = 24, int $hashByteSize = 24)

Constructor.

Arguments:
string $algorithm

[optional] Hash algorithm. Default: sha256.

int $iterations

[optional] Number of hash iterations. Default: 1000.

int $saltByteSize

[optional] Salt size in bytes. Default: 24.

int $hashByteSize

[optional] Hash size in bytes. Default: 24.

hash (string $str) -> string

Hash the given string.

Will hash the $str using parameters passed to the constructor or sane defaults.

Example:

 $hasher = new \MD\Foundation\Crypto\Hasher();
 $hash = $hasher->hash('pa$$word');
 echo $hash;
 // -> 'sha256:1000:UI3BhfdMMlZ9Jr6Jgl6tLAc+X6CcTXhD:E6HrUs3Hjv/sbz4rCule5+3m2d8qDkxu'
Arguments:
string $str

String to be hashed.

Returns:
string

validate (string $str, string $hash) -> bool

Validate if the given hash is a hash of the given string.

Example:

 $hasher = new \MD\Foundation\Crypto\Hasher();
 echo $hasher->validate('pa$$word', 'sha256:1000:UI3BhfdMMlZ9Jr6Jgl6tLAc+X6CcTXhD:E6HrUs3Hjv/sbz4rCule5+3m2d8qDkxu')
 // -> true
Arguments:
string $str

String to be verified. (e.g. password a user has entered)

string $hash

Hash to be verified. (e.g. password hash stored in db)

Returns:
bool

slowEquals (string $a, string $b) -> bool

Compares two strings $a and $b in length-constant time.

Arguments:
string $a

String A to be compared.

string $b

String B to be compared.

Returns:
bool