Hasher Usage

Use Quantum\Hasher\Hasher directly when you need password hashing behavior without the higher-level Auth package.

Hashing and verifying a password

use Quantum\Hasher\Hasher;

$hasher = new Hasher();

$hash = $hasher->hash('secret');

if ($hasher->check('secret', $hash)) {
    // password matches
}

A new instance uses bcrypt with cost 12 by default.

Lowering the cost in tests or local tooling

Quantum's own tests reduce the cost before hashing so password operations run faster:

$hasher = (new Hasher())->setCost(4);
$hash = $hasher->hash('secret');

That pattern is reasonable for tests. Do not copy it into production unless you intentionally want weaker bcrypt work factors.

Detecting when a stored hash should be upgraded

$hasher = (new Hasher())->setCost(4);
$hash = $hasher->hash('secret');

$hasher->setCost(5);

if ($hasher->needsRehash($hash)) {
    $hash = $hasher->hash('secret');
}

This is the normal upgrade path:

  1. verify the password with check()
  2. call needsRehash() against the stored hash
  3. write a new hash if the current settings require it

Switching algorithms

$hasher = (new Hasher())
    ->setAlgorithm(PASSWORD_DEFAULT);

$hash = $hasher->hash('secret');

If you need to change both the algorithm and the cost, set the algorithm first:

$hasher = (new Hasher())
    ->setAlgorithm(PASSWORD_BCRYPT)
    ->setCost(12);

Keep two caveats in mind:

  • setAlgorithm() does not validate the algorithm name itself
  • setCost() only enforces range checks when the current algorithm is PASSWORD_BCRYPT

Inspecting current settings

$hasher = (new Hasher())->setCost(4);

$currentAlgorithm = $hasher->getAlgorithm();
$currentCost = $hasher->getCost();

These getters show the object's active settings. They do not read anything from a stored password hash.

Inspecting stored hash metadata

$hasher = (new Hasher())->setCost(4);
$hash = $hasher->hash('secret');

$info = $hasher->info($hash);

The returned array is the raw output from PHP's password_get_info(). In Quantum's tests, the package expects keys such as algoName to be present.

For login flows:

  • use check() to verify the submitted password
  • use needsRehash() after a successful match
  • use a new hash() only when the password is first stored or upgraded

If you already use Quantum's Auth package, let that package own the hasher lifecycle instead of sharing one mutable Hasher object across unrelated code.