Php password_hash() function

HeLlo, everyone

I want to know your opinion on using php’s password_hash() function,
Like how secure is it? When it comes to rainbow attacks and other forms of attacks
What hash algorithm would you recommend to encypt passwords? Moreso which is beTter? PbkDF2 or Bcrypt.

Thank you :slight_smile:

PHP’s password_hash functions are almost certainly your best bet. They do everything you’re supposed to do, and they do it right, with as simple of an API as you could ever hope for.

Every password by default gets a unique 128-bit salt and 1,024 iterations. Definitely secure against rainbow attacks and other known forms of attack.

Probably PBKDF2 < bcrypt < scrypt

PBKDF2 can use an arbitrary amount of computing power. Bcrypt can also use an arbitrary amount of computing power but also has an expensive memory cost. Scrypt can use an arbitrary amount of computing power and an arbitrary amount of memory. Though, bcrypt is plenty sufficient and available through the convenient password_hash functions, so that’s probably still your best bet.