Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is safe to use password_hash with unicode characters?

Tags:

php

Is safe to use password_hash with unicode characters like following or there are incompatibility problems?

<?php
$hash = password_hash("漢字", PASSWORD_DEFAULT);
?>
like image 435
user5115459 Avatar asked Jul 20 '15 08:07

user5115459


People also ask

Can Unicode be used in passwords?

For extremely secure passwords, it may be desired to use unicode characters via ALT Codes.

What is a Unicode character in password?

Unicode is the magic system used so all the different letters and symbols from languages around the world can be used on a computer. Seriously, its nothing short of amazing (representing over 110 thousand characters)! And they make for the ultimate geek password!

Is PHP password hash secure?

The hash generated by password_hash() is very secure. But you can make it even stronger with two simple techniques: Increasing the Bcrypt cost. Automatically updating the hashing algorithm.

Why use password_ hash?

The password_hash() function can create a new password hash using a strong one-way hashing algorithm. The password_hash() function is compatible with crypt() function, therefore, password hashes created by crypt() function can be used with password_hash() function.


1 Answers

The hashing algorithms themselves work on bytes, so they are unicode safe, as Mark commented. The only issue might be PHP's handling of unicode strings, i.e. are the password hashing functions binary-safe? Let's test it and find out:

<?php

$pass = 0;
$fail = 0;

# Generate 100 random unicode passwords
for ($i = 0; $i < 100; $i++) {
    $password = '';
    for ($p = 0; $p < 10; $p++) {
        $password .= mt_rand(0xa1, 0xffff);
    }

    # Test password hashing
    $hash = password_hash($password, PASSWORD_DEFAULT);
    if (password_verify($password, $hash)) {
        $pass++;
    } else {
        $fail++;
    }
}

echo "Pass: $pass\nFail: $fail\n";

Result:

Pass: 100
Fail: 0

The answer to your question is yes, it's safe.

like image 150
Matt S Avatar answered Sep 19 '22 08:09

Matt S