Question 1

How to upgrade old SHA-512 passwords to PHP password_hash?

Accepted Answer

Use the UpgradeDecorator with a callback that validates your legacy hash, like checking hash('sha512', $password . $salt). On successful login, it automatically rehashes with password_hash and returns the new hash for persistence.

Question 2

Password Validator vs just using password_verify() directly – why bother?

Accepted Answer

Password Validator adds automatic rehashing and legacy upgrade capabilities, which are not handled by native functions alone. It simplifies maintenance by ensuring passwords stay current with security standards through decorators.

Question 3

How to automatically save rehashed passwords to a database?

Accepted Answer

Implement the StorageInterface with an updatePassword method, then wrap the validator in StorageDecorator. Pass the user identity as the fourth argument to isValid(), and it will persist rehashes without extra code.

Question 4

Can I change the bcrypt cost with Password Validator?

Accepted Answer

Yes, set the cost option via PasswordValidator::setOptions() before validation. The library uses this to check if rehashing is needed and applies it transparently, but ensure your database field is VARCHAR(255) for compatibility.

Question 5

Is Password Validator good for Laravel projects?

Accepted Answer

Not ideally, as Laravel has its own Hash facade that handles rehashing and upgrades. Password Validator is better for custom or legacy PHP apps without framework-level password management.

Question 6

What happens if I forget to update a rehashed password?

Accepted Answer

The user's next login will fail because the old hash won't match, potentially locking them out. The library warns about this in the README, so using StorageDecorator or manual persistence is critical.

Password Validator

What is Password Validator?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions