PHP password_hash always contains hashkey

Question

I am trying to test the password_hash method for this purpose i have created the following function hashPassword:

function hashPassword($string) {
    $settings = array('cost' => 10, 'encryption_key' => 'thisIsMyEncryptionKey1234');
    return password_hash($string, PASSWORD_BCRYPT, $settings);
}

Now if i test this with a random string like "test"

The result would be:

$2y$10$thisIsMyEncryptionKeyu5n3NNnKh3DjgJqgb5pE8YOLBclKrVWC

Or if i test it with helloworld:

$2y$10$thisIsMyEncryptionKeyuVw8QRVNw8HbEWHX2oQlArVtne2TzOpS

Can anyone tell me why this is happening? Or is it suppose to be like this?

Answer 1

You should never provide the encryption key manually unless you have a very good reason to do so. I'd recommend reading the docs on password_hash some more.

Proper usage just lets the system figure it all out on its own:

function hashPassword($password)
{
    return password_hash($password, PASSWORD_DEFAULT);
}

PHP will then internally choose the best available algorithm and most fitting number of iterations for current hardware, and generate a safe and unique salt.

To validate the password, then use password_verify, and check for required rehashes, for example in a User class:

class User
{
    ...

    public function verifyPassword($password)
    {
      if(!password_verify($password, $this->hash))
        return false;
      if(password_needs_rehash($this->hash, PASSWORD_DEFAULT))
        $this->setNewHashAndSaveToDB(password_hash($password, PASSWORD_DEFAULT));
      return true;
    }
}

By using this construct, you ensure hashed passwords are always kept up to date and secure as hardware capacities progress, automatically when a user logs in.

The policy on what algorithm PASSWORD_DEFAULT chooses, and with which config, is as follows:

Updates to supported algorithms by this function (or changes to the default one) must follow the follwoing rules:

• Any new algorithm must be in core for at least 1 full release of PHP prior to becoming default. So if, for example, a new algorithm is added in 5.5.5, it would not be eligible for default until 5.7 (since 5.6 would be the first full release). But if a different algorithm was added in 5.6.0, it would also be eligible for default at 5.7.0.
• The default should only change on a full release (5.6.0, 6.0.0, etc) and not on a revision release. The only exception to this is in an emergency when a critical security flaw is found in the current default.

Answer 2

About Encryption key:

Best Encrуption kеy is a binary blob that's gеnеrated from a rеliablе random numbеr gеnеrator. Thе following еxample would bе rеcommеndеd (>= 5.3):

$keySize = mcrypt_get_key_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CFB);
$encryptionKey = openssl_random_pseudo_bytes($key_size, $strong); //$strong will be true if the key is crypto safe

But in your case you just set the string, use some random data for this.