{"id":25015754,"url":"https://github.com/brenno-duarte/php-secure-password","last_synced_at":"2026-02-12T07:37:04.416Z","repository":{"id":62496872,"uuid":"358966360","full_name":"brenno-duarte/php-secure-password","owner":"brenno-duarte","description":"SecurePassword is a PHP component for creating strong passwords using modern encryption.","archived":false,"fork":false,"pushed_at":"2025-07-03T17:10:10.000Z","size":54,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-09-12T19:09:38.073Z","etag":null,"topics":["php","php-pass","php-password","php-security"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/brenno-duarte.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2021-04-17T19:35:07.000Z","updated_at":"2025-07-03T17:10:14.000Z","dependencies_parsed_at":"2025-09-12T18:24:44.016Z","dependency_job_id":"414cc670-b57c-4fc0-84bc-20a31db281b2","html_url":"https://github.com/brenno-duarte/php-secure-password","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/brenno-duarte/php-secure-password","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brenno-duarte%2Fphp-secure-password","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brenno-duarte%2Fphp-secure-password/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brenno-duarte%2Fphp-secure-password/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brenno-duarte%2Fphp-secure-password/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/brenno-duarte","download_url":"https://codeload.github.com/brenno-duarte/php-secure-password/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brenno-duarte%2Fphp-secure-password/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29361630,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-12T01:03:07.613Z","status":"online","status_checked_at":"2026-02-12T02:00:06.911Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["php","php-pass","php-password","php-security"],"created_at":"2025-02-05T08:31:44.091Z","updated_at":"2026-02-12T07:37:04.401Z","avatar_url":"https://github.com/brenno-duarte.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PHP SecurePassword\n\nSecurePassword is a PHP component for creating strong passwords using modern encryption.\n\n## Why use this component?\n\nUnlike just using `password_hash` or `password_verify`, SecurePassword adds a secret entry (commonly called a pepper) to make it difficult to break the generated hash.\n\n## Requirements\n\nPHP \u003e= 8.2\n\n## Installing via Composer\n\n```\ncomposer require brenno-duarte/php-secure-password\n```\n\n## How to use\n\nThe code below shows an example for creating the hash. The `createHash` method generates the password hash along with the \"peeper\", and the `getHash` method returns the generated hash.\n\n```php\nuse SecurePassword\\SecurePassword;\n\n$password = new SecurePassword();\n$hash = $password-\u003ecreateHash('my_password')-\u003egetHash();\n\n/** Return string */\nvar_dump($hash);\n```\n\n## Settings\n\nYou can change encryption settings without using the methods that will be listed below. To do this, enter the following code in the constructor:\n\n```php\nuse SecurePassword\\AlgorithmEnum;\n\n$config = [\n    'algo' =\u003e AlgorithmEnum::DEFAULT,\n    'cost' =\u003e 12,\n    'memory_cost' =\u003e PASSWORD_ARGON2_DEFAULT_MEMORY_COST,\n    'time_cost' =\u003e PASSWORD_ARGON2_DEFAULT_TIME_COST,\n    'threads' =\u003e PASSWORD_ARGON2_DEFAULT_THREADS\n];\n\n$password = new SecurePassword($config);\n```\n\nYou can use the following encryptions: `AlgorithmEnum::DEFAULT`, `AlgorithmEnum::BCRYPT`, `AlgorithmEnum::ARGON2I`, `AlgorithmEnum::ARGON2ID`.\n\n## Changing the encryption algorithm\n\n**NOTE: If you are using the settings passed in the constructor then you can ignore the code below.**\n\nYou can change the type of algorithm used to generate the hash. It is possible to use `PASSWORD_BCRYPT`,` PASSWORD_ARGON2I`, `PASSWORD_ARGON2ID` and even `PASSWORD_DEFAULT`.\n\n- `useDefault()` will use standard encryption\n- `useBcrypt()` will use Bcrypt encryption\n- `useArgon2()` will use Argon2 encryption\n- `useArgon2(true)` passing `true` will use Argon2d encryption \n\n```php\n# standard encryption\n$hash = $password-\u003euseDefault()-\u003ecreateHash('my_password')-\u003egetHash();\n\n# Bcrypt encryption\n$hash = $password-\u003euseBcrypt()-\u003ecreateHash('my_password')-\u003egetHash();\n\n# Argon2 encryption\n$hash = $password-\u003euseArgon2()-\u003ecreateHash('my_password')-\u003egetHash();\n\n# Argon2d encryption (with `true`)\n$hash = $password-\u003euseArgon2(true)-\u003ecreateHash('my_password')-\u003egetHash();\n```\n\nIf the type of algorithm is not provided, the default encryption will be 'PASSWORD_DEFAULT'.\n\n## Returns information about the given hash\n\nTo return the information of the created hash, use `getHashInfo` method.\n\n```php\n$hash = $password-\u003ecreateHash('my_password')-\u003egetHashInfo();\n\n/** Return array */\nvar_dump($hash);\n```\n\n## Verifies that a password matches a hash\n\nTo verify that the hash generated with `createHash` is valid, you can use `verifyHash` in two ways:\n\n```php\n# First way\n$hash = $password-\u003ecreateHash('my_password')-\u003egetHash();\n$res = $password-\u003everifyHash('my_password', $hash);\n\n# Second way\n$hash = $password-\u003ecreateHash('my_password')-\u003everifyHash();\n\n/** Return bool */\nvar_dump($res);\n```\n\nTo make timing attacks more difficult, the `verifyHash` method waits 0.25 seconds (250000 microseconds) to return the value. You can change this time by changing the third parameter.\n\n```php\n# First way\n$hash = $password-\u003ecreateHash('my_password')-\u003egetHash();\n$res = $password-\u003everifyHash('my_password', $hash, 300000);\n\n# Second way\n$hash = $password-\u003ecreateHash('my_password')-\u003everifyHash(wait_microseconds: 300000);\n\n/** Return bool */\nvar_dump($res);\n```\n\n**NOTE: If you are using the settings passed in the constructor then you can ignore the code below.**\n\nYou can change the type of algorithm that will be used to check the hash.\n\n```php\n$hash = $password-\u003euseArgon2()-\u003ecreateHash('my_password')-\u003egetHash();\n$res = $password-\u003euseArgon2()-\u003everifyHash('my_password', $hash);\n\n/** Return bool */\nvar_dump($res);\n```\n\n## Needs Rehash\n\nIf the encryption type has been changed, you can generate a new hash with the new encryption. The `needsHash()` method checks whether the reported hash needs to be regenerated. Otherwise, it will return `false`.\n\n**Example 1**\n\n```php\n$password = new SecurePassword();\n$hash = $password-\u003euseArgon2()-\u003ecreateHash('my_password')-\u003egetHash();\n$needs = $password-\u003euseDefault()-\u003eneedsRehash('my_password', $hash);\n\n/** Return string */\nvar_dump($needs);\n```\n\n**Example 2**\n\n```php\n$hash = $password-\u003ecreateHash('my_password')-\u003egetHash();\n\n$password = new SecurePassword([\n    'algo' =\u003e AlgorithmEnum::BCRYPT\n]);\n$needs = $password-\u003eneedsRehash('my_password', $hash);\n\n/** Return false */\nvar_dump($needs);\n```\n\n## Adding options\n\n**NOTE: If you are using the settings passed in the constructor then you can ignore the code below.**\n\nAdd options in the `useDefault`, `useBcrypt` and `useArgon2` methods.\n\n- useDefault: default options, use an array.\n- useBcrypt: you can change `$cost`. The default is `12`.\n- useArgon2: you can change `$memory_cost`, `$time_cost` and `$threads`. The default is the constants `PASSWORD_ARGON2_DEFAULT_MEMORY_COST`, `PASSWORD_ARGON2_DEFAULT_TIME_COST` and `PASSWORD_ARGON2_DEFAULT_THREADS`.\n\n```php\n# standard encryption\n$hash = $password-\u003euseDefault([])-\u003ecreateHash('my_password');\n\n# Bcrypt encryption\n$hash = $password-\u003euseBcrypt(12)-\u003ecreateHash('my_password');\n\n# Argon2 encryption\n$hash = $password-\u003euseArgon2(false, PASSWORD_ARGON2_DEFAULT_MEMORY_COST, PASSWORD_ARGON2_DEFAULT_TIME_COST, PASSWORD_ARGON2_DEFAULT_THREADS)-\u003ecreateHash('my_password');\n\n# Argon2d encryption (with `true`)\n$hash = $password-\u003euseArgon2(true, PASSWORD_ARGON2_DEFAULT_MEMORY_COST, PASSWORD_ARGON2_DEFAULT_TIME_COST, PASSWORD_ARGON2_DEFAULT_THREADS)-\u003ecreateHash('my_password');\n```\n\n## Using OpenSSL and Sodium encryption\n\nSecure Password has the component [paragonie/sodium_compat](https://github.com/paragonie/sodium_compat). Therefore, it is not necessary to use the Sodium library in PECL format.\n\nYou can use OpenSSL and Sodium encryption using the `Encryption` class:\n\n```php \nuse SecurePassword\\Encrypt\\Encryption;\n\n$encryption = new Encryption('your-key');\n\n//Encrypt the message\n$encrypt = $encryption-\u003eencrypt(\"This is a text\");\necho $encrypt;\n```\n\nYou can decrypt token by calling decrypt method:\n\n```php \n$encryption = new Encryption('your-key');\n\n//Decrypt the message\n$decrypt = $encryption-\u003edecrypt($encrypt);\necho $decrypt;\n```\n\nYou can pass supported adapter to class like:\n\n**Use of OpenSSL**\n\n```php \n$encryption = new Encryption(new OpenSslEncryption('your-key'));\n```\n\n**Use of Sodium**\n\n```php \n$encryption = new Encryption(new SodiumEncryption('your-key'));\n```\n\nDefault openSSL will use, you can use any one you want.\n\n## Changing the secret entry (recommended)\n\nIt is recommended to change the secret entry (or pepper) that will be added to your password. Use `setPepper` to change.\n\n```php\n$password = new SecurePassword();\n$password-\u003esetPepper('new_pepper');\n```\n\nBy default, the `setPepper` method uses OpenSSL encryption. However, you can use Sodium encryption if you want.\n\n```php\n// Use OpenSSL\n$password-\u003esetPepper('new_pepper', 'openssl');\n\n// Use Sodium\n$password-\u003esetPepper('new_pepper', 'sodium');\n```\n\n## Getting the ideal encryption cost\n\nHere's a quick little function that will help you determine what cost parameter you should be using for your server to make sure you are within this range.\n\n```php\n$optimal_cost = SecurePassword::getOptimalBcryptCost('my_password');\n\n$password = new SecurePassword([\n    'cost' =\u003e $optimal_cost\n]);\n$hash = $password-\u003ecreateHash('my_password')-\u003egetHash();\n```\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrenno-duarte%2Fphp-secure-password","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbrenno-duarte%2Fphp-secure-password","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrenno-duarte%2Fphp-secure-password/lists"}