PHP 5.6.0RC3 is available


(PHP 5 >= 5.5.0)

password_needs_rehashComprueba si el hash facilitado coincide con las opciones proporcionadas


boolean password_needs_rehash ( string $hash , integer $algo [, array $options ] )

Esta función comprueba si el hash facilitado implementa el algoritmo y opciones proporcionadas. Si no, asume que el hash necesita volver a ser generado.



Un hash creado por password_hash().


A constante del algoritmo de contraseñas indicando qué algoritmo utilizar para crear el hash de la contraseña.


Un array asociativo de opciones. Véanse las constantes de algoritmos de contraseñas para la documentación sobre las opociones admitidas de cada algoritmo.

Valores devueltos

Devuelve TRUE si el hash debe ser generado de nuevo para coincidir con la información pasada a algo y options, o FALSE en cualquier otro caso.

add a note add a note

User Contributed Notes 4 notes

nick at nickstallman dot net
1 year ago
ydroneaud this would be used on a login page, not at any other time.

So if you have a site with MD5 passwords for example, and wish to upgrade to SHA256 for additional security you would put this check in the login script.

This function will take a user's hash and say if it is SHA256, if it isn't then you can take the user's password which you still have as plaintext and rehash it as SHA256.

This lets you gradually update the hashes in your database without disrupting any features or resetting passwords.
2 months ago
the correct use case is given here  ( )

if (password_verify($password, $hash)) {
        if (password_needs_rehash($hash, $algorithm, $options)) {
            $hash = password_hash($password, $algorithm, $options);
            /* Store new hash in db */
php dot net at muer dot nl
2 months ago
nick, this function cannot check if a string is a MD5 or SHA1 hash. It can only tell you if a password, hashed using the password_hash function, needs to be put through the hashing function again to keep up to date with the new defaults.

The only time you can use this function is when your user logs in and you have already checked by means of password_verify that the password entered is actually correct. At that point, if password_needs_rehash returns true, you can put the plain text password through the password_hash function.
ydroneaud at opteya dot com
1 year ago
According to the documentation, it's checking if the given hashed password string is compatible with the provided algorithm (and options, but not salt), eg. it's checking if the hashed password string was generated with the provided algorithm (and options, but not salt).

There's nothing to 'rehash' in its parameters ... especially not the already hashed password string, and the password "stored" in the hashed password string is not supposed to be known, it's not in clear, it's a secret.

The name of the function seems misleading, this function should have been called "password_hash_compatible()" instead.

This function could be use to check if a password database/a hashed password string (hashed by function "password_hash()") need to be upgraded to a stronger password hashing/storage scheme: if the function returns false,  a new password will have to be set for the user, hashed with the new, stronger, algorithm/options.

One should carefully think before using this function to support multiple algorithms/options in one database, eg. support "legacy scheme" passwords + "new scheme" ...
To Top