The 5th Annual China PHP Conference


(PHP 5 >= 5.5.0, PHP 7)



boolean password_needs_rehash ( string $hash , integer $algo [, array $options ] )

指定したハッシュが、特定のアルゴリズムとオプションを満たしているかどうかを調べます。 満たしていない場合は、ハッシュを再計算する必要があるとみなします。 rehashed.



password_hash() が作ったハッシュ。


パスワードのハッシュに使うアルゴリズムを表す パスワードアルゴリズム定数


オプションを含む連想配列。各アルゴリズムがサポートするオプションについては、 パスワードアルゴリズム定数 のページを参照ください。

例1 password_needs_rehash()() の使用例


$hash '$2y$10$YCFsG6elYca568hBi2pZ0.3LDL5wjgxct1N8w/oLR/jfHsiQwCqTS';

// cost パラメータは、ハードウェアの性能の向上にあわせて変えることができます
$options = array('cost' => 11);

// 格納されたハッシュを、平文のパスワードに対して検証します
if (password_verify($password$hash)) {
// より新しいハッシュアルゴリズムの存在や、コストの変更を
    // 確認します
if (password_needs_rehash($hashPASSWORD_DEFAULT$options)) {
// そんな場合は新しいハッシュを計算して、古いものを置き換えます
$newHash password_hash($passwordPASSWORD_DEFAULT$options);

// ログイン


指定した algooptions にマッチするためにハッシュの再計算が必要な場合は TRUE、 それ以外の場合は FALSE を返します。

add a note add a note

User Contributed Notes 3 notes

nick at nickstallman dot net
3 years ago
ydroneaud this would be used on a login page, not at any other time.

So if you have a site with MD5 passwords for example, and wish to upgrade to SHA256 for additional security you would put this check in the login script.

This function will take a user's hash and say if it is SHA256, if it isn't then you can take the user's password which you still have as plaintext and rehash it as SHA256.

This lets you gradually update the hashes in your database without disrupting any features or resetting passwords.
admin at torntech dot com
2 years ago
Some other use-cases for the password_needs_rehash function is when you have specified using the PASSWORD_DEFAULT algorithm for password_hash.
As mentioned on the Password Hashing Predefined Constants and password_hash pages, the algorithm used by PASSWORD_DEFAULT is subject to change as different versions of PHP are released.
Additionally password_needs_rehash would be used if you have changed the optional cost or static salt (DO NOT USE A STATIC SALT) requirements of your password_hash options.

Full example:


= [
'options' => ['cost' => 11],
'hash' => null

$password = 'rasmuslerdorf';

//stored hash of password
$oldHash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';

//verify stored hash against plain-text password
if (true === password_verify($password, $oldHash)) {
//verify legacy password to new password_hash options
if (true === password_needs_rehash($oldHash, $new['algo'], $new['options'])) {
//rehash/store plain-text password using new hash
$newHash = password_hash($password, $new['algo'], $new['options']);

The above example will output something similar to:
php dot net at muer dot nl
3 years ago
nick, this function cannot check if a string is a MD5 or SHA1 hash. It can only tell you if a password, hashed using the password_hash function, needs to be put through the hashing function again to keep up to date with the new defaults.

The only time you can use this function is when your user logs in and you have already checked by means of password_verify that the password entered is actually correct. At that point, if password_needs_rehash returns true, you can put the plain text password through the password_hash function.
To Top