sodium_crypto_pwhash

FunctionParams and return types changed in PHP 8.0

Derive a key from a password, using Argon2.

PHP 5
PHP 7.0-7.1
PHP 7.2
Added
PHP 7.3-7.4
PHP 8.0
Improved
PHP 8.1
PHP 8.2
PHP 8.3
PHP 8.4
PHP 8.5

sodium_crypto_pwhash Function synopsis

sodium_crypto_pwhash(
    int $length,
    string $password,
    string $salt,
    int $opslimit,
    int $memlimit,
    int $algo = SODIUM_CRYPTO_PWHASH_ALG_DEFAULT
  ): string

Parameters

$length

Typeint

int; The length of the password hash to generate, in bytes.

$password

Typestring

string; The password to generate a hash for.

$salt

Typestring

A salt to add to the password before hashing. The salt should be unpredictable, ideally generated from a good random number source such as random_bytes, and have a length of exactly SODIUM_CRYPTO_PWHASH_SALTBYTES bytes.

$opslimit

Typeint

Represents a maximum amount of computations to perform. Raising this number will make the function require more CPU cycles to compute a key. There are some constants available to set the operations limit to appropriate values depending on intended use, in order of strength: SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE, SODIUM_CRYPTO_PWHASH_OPSLIMIT_MODERATE and SODIUM_CRYPTO_PWHASH_OPSLIMIT_SENSITIVE.

$memlimit

Typeint

The maximum amount of RAM that the function will use, in bytes. There are constants to help you choose an appropriate value, in order of size: SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE, SODIUM_CRYPTO_PWHASH_MEMLIMIT_MODERATE, and SODIUM_CRYPTO_PWHASH_MEMLIMIT_SENSITIVE. Typically these should be paired with the matching $opslimit values.

$algo

OptionalTypeintDefault valueSODIUM_CRYPTO_PWHASH_ALG_DEFAULT

int A number indicating the hash algorithm to use. By default SODIUM_CRYPTO_PWHASH_ALG_DEFAULT (the currently recommended algorithm, which can change from one version of libsodium to another), or explicitly using SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13, representing the Argon2id algorithm version 1.3.

Return value

Typestring

Returns the derived key. The return value is a binary string of the hash, not an ASCII-encoded representation, and does not contain additional information about the parameters used to create the hash, so you will need to keep that information if you are ever going to verify the password in future. Use sodium_crypto_pwhash_str to avoid needing to do all that.

Changes to the sodium_crypto_pwhash Function

PHP 8.0

  • Return type added: string
  • Parameter type added for parameter #1 ($length): int
  • Parameter type added for parameter #2 ($password): string
  • Parameter type added for parameter #3 ($salt): string
  • Parameter type added for parameter #4 ($opslimit): int
  • Parameter type added for parameter #5 ($memlimit): int
  • Parameter name of parameter #6 changed: $alg to $algo
  • Parameter type added for parameter #6 ($algo): int
  • Parameter default value added for position #6 ($algo): SODIUM_CRYPTO_PWHASH_ALG_DEFAULT
  sodium_crypto_pwhash(
-     $length,
+     int $length,
-     $password,
+     string $password,
-     $salt,
+     string $salt,
-     $opslimit,
+     int $opslimit,
-     $memlimit,
+     int $memlimit,
-     $alg
+     int $algo = SODIUM_CRYPTO_PWHASH_ALG_DEFAULT
-   )
+   ): string

PHP 7.2

  • Function added

sodium_crypto_pwhash Function Availability

PHP VersionAvailability
PHP 8.5Future Release Yes
PHP 8.4Upcoming Release Yes
PHP 8.3Supported (Latest) Yes
PHP 8.2Supported Yes
PHP 8.1Security-Fixes Only Yes
PHP 8.0Unsupported Yes
PHP 7.4Unsupported Yes
PHP 7.3Unsupported Yes
PHP 7.2Unsupported Yes
PHP 7.1Unsupported No
PHP 7.0Unsupported No
PHP 5.6Unsupported No
PHP 5.5Unsupported No
PHP 5.4Unsupported No
PHP 5.3Unsupported No