PHPackages ircmaxell/password-compat - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. ircmaxell/password-compat ActiveLibrary[Security](/categories/security) ircmaxell/password-compat ========================= A compatibility library for the proposed simplified password hashing algorithm: https://wiki.php.net/rfc/password\_hash v1.0.4(11y ago)2.1k56.8M—1.5%411[13 issues](https://github.com/ircmaxell/password_compat/issues)[6 PRs](https://github.com/ircmaxell/password_compat/pulls)20MITPHPCI failing Since Sep 18Pushed 2y ago114 watchersCompare [ Source](https://github.com/ircmaxell/password_compat)[ Packagist](https://packagist.org/packages/ircmaxell/password-compat)[ Docs](https://github.com/ircmaxell/password_compat)[ RSS](/packages/ircmaxell-password-compat/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependencies (1)Versions (8)Used By (20) password\_compat ================ [](#password_compat) [![Build Status](https://camo.githubusercontent.com/7edb0f47a84e24ac58d2798f9f2ceed60f4ca3698bafb8eb0ba6ef8d7a580a89/68747470733a2f2f7472617669732d63692e6f72672f6972636d6178656c6c2f70617373776f72645f636f6d7061742e706e673f6272616e63683d6d6173746572)](https://travis-ci.org/ircmaxell/password_compat) [![Code Climate](https://camo.githubusercontent.com/cd0833adb2f38cbe2d8a0a46a808a163be8c059d7bc248d88a37580f3d8cab5b/68747470733a2f2f636f6465636c696d6174652e636f6d2f6769746875622f6972636d6178656c6c2f70617373776f72645f636f6d7061742f6261646765732f6770612e737667)](https://codeclimate.com/github/ircmaxell/password_compat) This library is intended to provide forward compatibility with the [password\_\*](http://php.net/password) functions that ship with PHP 5.5. See [the RFC](https://wiki.php.net/rfc/password_hash) for more detailed information. Requirements ============ [](#requirements) This library requires `PHP >= 5.3.7` OR a version that has the `$2y` fix backported into it (such as RedHat provides). Note that Debian's 5.3.3 version is **NOT** supported. The runtime checks have been removed due to this version issue. To see if password\_compat is available for your system, run the included `version-test.php`. If it outputs "Pass", you can safely use the library. If not, you cannot. If you attempt to use password-compat on an unsupported version, attempts to create or verify hashes will return `false`. You have been warned! The reason for this is that PHP prior to 5.3.7 contains a [security issue with its BCRYPT implementation](http://php.net/security/crypt_blowfish.php). Therefore, it's highly recommended that you upgrade to a newer version of PHP prior to using this layer. Installation ============ [](#installation) To install, simply `require` the `password.php` file under `lib`. You can also install it via `Composer` by using the [Packagist archive](http://packagist.org/packages/ircmaxell/password-compat). Usage ===== [](#usage) **Creating Password Hashes** To create a password hash from a password, simply use the `password_hash` function. ``` $hash = password_hash($password, PASSWORD_BCRYPT); ``` Note that the algorithm that we chose is `PASSWORD_BCRYPT`. That's the current strongest algorithm supported. This is the `BCRYPT` crypt algorithm. It produces a 60 character hash as the result. `BCRYPT` also allows for you to define a `cost` parameter in the options array. This allows for you to change the CPU cost of the algorithm: ``` $hash = password_hash($password, PASSWORD_BCRYPT, array("cost" => 10)); ``` That's the same as the default. The cost can range from `4` to `31`. I would suggest that you use the highest cost that you can, while keeping response time reasonable (I target between 0.1 and 0.5 seconds for a hash, depending on use-case). Another algorithm name is supported: ``` PASSWORD_DEFAULT ``` This will use the strongest algorithm available to PHP at the current time. Presently, this is the same as specifying `PASSWORD_BCRYPT`. But in future versions of PHP, it may be updated to use a stronger algorithm if one is introduced. It can also be changed if a problem is identified with the BCRYPT algorithm. Note that if you use this option, you are **strongly** encouraged to store it in a `VARCHAR(255)` column to avoid truncation issues if a future algorithm increases the length of the generated hash. It is very important that you should check the return value of `password_hash` prior to storing it, because `false` or `null` may be returned if it encountered an error. **Verifying Password Hashes** To verify a hash created by `password_hash`, simply call: ``` if (password_verify($password, $hash)) { /* Valid */ } else { /* Invalid */ } ``` That's all there is to it. **Rehashing Passwords** From time to time you may update your hashing parameters (algorithm, cost, etc). So a function to determine if rehashing is necessary is available: ``` if (password_verify($password, $hash)) { if (password_needs_rehash($hash, $algorithm, $options)) { $hash = password_hash($password, $algorithm, $options); /* Store new hash in db */ } } ``` Security Vulnerabilities ======================== [](#security-vulnerabilities) If you have found a security issue, please contact the author directly at . ### Health Score 56 — FairBetter than 98% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity78 Solid adoption and visibility Community51 Growing community involvement Maturity68 Established project with proven stability Bus Factor1 Top contributor holds 72.5% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~135 days Recently: every ~142 days Total 6 Last Release 4197d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/c87a667fe5a109ed083ba784409a76f0a18f30b0a05445fbb8ef5e4520b7a6e1?d=identicon)[ircmaxell](/maintainers/ircmaxell) --- Top Contributors [![ircmaxell](https://avatars.githubusercontent.com/u/660654?v=4)](https://github.com/ircmaxell "ircmaxell (66 commits)")[![GrahamCampbell](https://avatars.githubusercontent.com/u/2829600?v=4)](https://github.com/GrahamCampbell "GrahamCampbell (5 commits)")[![Jacques1](https://avatars.githubusercontent.com/u/6070504?v=4)](https://github.com/Jacques1 "Jacques1 (3 commits)")[![e3betht](https://avatars.githubusercontent.com/u/1811561?v=4)](https://github.com/e3betht "e3betht (2 commits)")[![staabm](https://avatars.githubusercontent.com/u/120441?v=4)](https://github.com/staabm "staabm (2 commits)")[![nicolas-grekas](https://avatars.githubusercontent.com/u/243674?v=4)](https://github.com/nicolas-grekas "nicolas-grekas (2 commits)")[![patrickallaert](https://avatars.githubusercontent.com/u/195277?v=4)](https://github.com/patrickallaert "patrickallaert (1 commits)")[![pborreli](https://avatars.githubusercontent.com/u/77759?v=4)](https://github.com/pborreli "pborreli (1 commits)")[![pine3ree](https://avatars.githubusercontent.com/u/3229979?v=4)](https://github.com/pine3ree "pine3ree (1 commits)")[![remicollet](https://avatars.githubusercontent.com/u/270445?v=4)](https://github.com/remicollet "remicollet (1 commits)")[![borg4242](https://avatars.githubusercontent.com/u/996469?v=4)](https://github.com/borg4242 "borg4242 (1 commits)")[![tchalvak](https://avatars.githubusercontent.com/u/23353?v=4)](https://github.com/tchalvak "tchalvak (1 commits)")[![h4cc](https://avatars.githubusercontent.com/u/2981491?v=4)](https://github.com/h4cc "h4cc (1 commits)")[![johncongdon](https://avatars.githubusercontent.com/u/67472?v=4)](https://github.com/johncongdon "johncongdon (1 commits)")[![JoshyPHP](https://avatars.githubusercontent.com/u/317712?v=4)](https://github.com/JoshyPHP "JoshyPHP (1 commits)")[![lt](https://avatars.githubusercontent.com/u/1503065?v=4)](https://github.com/lt "lt (1 commits)")[![multiwebinc](https://avatars.githubusercontent.com/u/901732?v=4)](https://github.com/multiwebinc "multiwebinc (1 commits)") --- Tags passwordhashing ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/ircmaxell-password-compat/health.svg) ``` [![Health](https://phpackages.com/badges/ircmaxell-password-compat/health.svg)](https://phpackages.com/packages/ircmaxell-password-compat) ``` ### Alternatives [symfony/password-hasher Provides password hashing utilities 814137.2M91](/packages/symfony-password-hasher)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 87117.5M63](/packages/bjeavons-zxcvbn-php)[passwordlib/passwordlib A Password Hashing Library 377220.6k6](/packages/passwordlib-passwordlib)[mikemclin/laravel-wp-password Laravel package that checks and creates WordPress password hashes 863.4M2](/packages/mikemclin-laravel-wp-password)[lastguest/murmurhash MurmurHash3 Hash 12910.2M52](/packages/lastguest-murmurhash)[paragonie/password_lock Wraps Bcrypt-SHA2 in Authenticated Encryption 19348.7k1](/packages/paragonie-password-lock) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)