Which is/are the most secure password hash algorithm(s) in PHP? [duplicate]

Question

Which are the most secure password hash algorithm(s) in PHP?

Speed is irrelevant because I'm iterating the hash over a fixed time (rather than a fixed number of iterations). What I'm interested in is the mathematical strength.

My intuition tells me it's whirlpool, being the largest and slowest of the bunch. That or SHA-512. Which is recommended by experts?

Are there any other algorithms which provide more than 512 bit hashes?

Answer 1

Use the function password_hash(). If you let it (by specifying PASSWORD_DEFAULT), it will choose the recommended algorithm, which currently is BCrypt. If the algorithm changes, you don't have to change the code. If you like, you can also explicitly choose this algorithm using the constant PASSWORD_BCRYPT, but that opposes the intention of automatically updating to better algorithms when they become available in future versions.

You can use password_verify() to verify the password.

PHP will add the used algorithm to the hash, as well as a salt, so it will know everything it needs to know for the verification. That way, when new algorithms become available in newer versions of PHP, they will be used automatically, and those passwords will have a stronger hash.

You can use password_needs_rehash() to check if a password needs to be rehashed, should the default ever change.

If a password validates, you can rehash it and store it. That way you will update old passwords with weaker hashes automatically when a user logs in.