{pwdcrypt:text}

Description

Hashes a plain-text password into the AA password storage format. It calls PHP password_hash with PASSWORD_DEFAULT, which on this install is bcrypt: a 60-character string that begins with $2y$. Each call uses a fresh random salt, so hashing the same input twice gives two different hashes. That is by design - it is what lets the stored hash resist precomputed-table attacks. Because the salt is random, the output is never cached and is not reproducible, so a pwdcrypt result can be checked only by AA login code (password_verify), not by re-hashing and comparing in a template. Typical use: produce the value for a Reader-slice user password field, or generate a hash to store in a user record.

Parameters

text optional

The plain-text password to hash. Any string. If omitted, an empty string is hashed (still a valid 60-character bcrypt hash). The value is not stored or echoed anywhere except inside the returned hash.

Examples

test{strlen:{pwdcrypt:}}

Expected60

Actual60

The text parameter has no default. If you pass nothing, an empty string is hashed - which is still a valid 60-character bcrypt hash, not an error. Pass a real password in production.

test{strlen:{pwdcrypt:correct horse battery staple}}

Expected60

Actual60

A bcrypt hash is always 60 characters, whatever the input. The hash itself differs every call (random salt), so a template can only assert stable properties of it - here its length.

test{substr:{pwdcrypt:correct horse battery staple}:0:4}

Expected$2y$

Actual$2y$

On this install PASSWORD_DEFAULT is bcrypt, so every hash begins with the algorithm marker $2y$. The next two characters are the cost (for example 10 or 12).

virtual{pwdcrypt:correct horse battery staple}

Expected(a fresh 60-char bcrypt hash, e.g. $2y$12$kpxmndMsb5f86nsx7WlXYO.RMpL5L2iFsvR7fzyUJSqH4J1kP5TBO)

Actual$2y$12$1ARAjh86LpwsM.H/dkZcpuVqo0ZAr5h/iP.6gQ4Ev4zcUjRj0oiKq

The core use: turn a plain password into a stored hash. The output changes on every render because the salt is random, so this cannot be a fixed-value test - the shape is $2y$<cost>$<22-char salt><31-char hash>, 60 characters total.

virtual{pwdcrypt:_#NEWPWD__}

Expected(the 60-char hash of whatever _#NEWPWD__ held)

Actual$2y$12$LbGkibn0pu6k9YoGV7jSr.udp6qYGr13m.1keNWmXbcRWGVqFeVZe

Real-world pattern in a Reader-slice signup: feed the submitted password field (here the alias _#NEWPWD__) through pwdcrypt and store THAT in the user password field - never store the plain text. AA login later checks it with password_verify. Output is runtime-dependent (the input is whatever was submitted, and the salt is random), so this is illustrative.

← All expressions