Derive a 32-byte key from a password deterministically in PHP

Question

Today I learned that \"password\" tends to mean a memorizable string of an arbitrary number of characters, while \"key\" means a highly random string of bi

Answer 1

If you wish to have them re-send their password every time you want to decrypt or encrypt the stored strings, you will have to use a consistent password hash and store the salt and iterations somewhere.

If you use the password_hash function, you'll never end up with the same value because of the randomly generated salt.

>>> password_hash('abc', PASSWORD_BCRYPT)
=> "$2y$10$xR8tZQd0ljF5Ks3QrQt7i.vAbv.xVUc97uh.fX4w0mi/A647HlEWS"
>>> password_hash('abc', PASSWORD_BCRYPT)
=> "$2y$10$KzZWeg.o/4TyJVryWrz/oeWQ6VGj0JnPDW.d.Cp0svu8k6qKBcbWu"

You can pass a salt through the options but this is deprecated through password_hash, so I'd recommend you stick with your first solution.

You don't need to use the same salt for every person, you can generate a random salt and store that somewhere, such as the users table.

Keep in mind, with this type of key derivation, you'll need to re-encrypt all of the values every time the user changes their password.