Is safe to use password_hash
with unicode characters like following or there are incompatibility problems?
<?php
$hash = password_hash("漢字", PASSWORD_DEFAULT);
?>
For extremely secure passwords, it may be desired to use unicode characters via ALT Codes.
Unicode is the magic system used so all the different letters and symbols from languages around the world can be used on a computer. Seriously, its nothing short of amazing (representing over 110 thousand characters)! And they make for the ultimate geek password!
The hash generated by password_hash() is very secure. But you can make it even stronger with two simple techniques: Increasing the Bcrypt cost. Automatically updating the hashing algorithm.
The password_hash() function can create a new password hash using a strong one-way hashing algorithm. The password_hash() function is compatible with crypt() function, therefore, password hashes created by crypt() function can be used with password_hash() function.
The hashing algorithms themselves work on bytes, so they are unicode safe, as Mark commented. The only issue might be PHP's handling of unicode strings, i.e. are the password hashing functions binary-safe? Let's test it and find out:
<?php
$pass = 0;
$fail = 0;
# Generate 100 random unicode passwords
for ($i = 0; $i < 100; $i++) {
$password = '';
for ($p = 0; $p < 10; $p++) {
$password .= mt_rand(0xa1, 0xffff);
}
# Test password hashing
$hash = password_hash($password, PASSWORD_DEFAULT);
if (password_verify($password, $hash)) {
$pass++;
} else {
$fail++;
}
}
echo "Pass: $pass\nFail: $fail\n";
Result:
Pass: 100
Fail: 0
The answer to your question is yes, it's safe.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With