What will happen is that the new hashed passwords will use the new algorithm - obviously.
However, you should not worry about this, because all this is designed with advanced compatibility in mind - your code will not be broken when the default algorithm changes if you use password_*() function correctly.
Right, I mean using password_verify() .
password_verify() accepts the plaintext password and hash, and it can easily determine if the algorithm is being used by looking at the hash that you feed it. Therefore, he will also be able to verify a password that hashed using the old algorithm - not only the previous one, but also any supported algorithm.
In fact, the only purpose of the PASSWORD_DEFAULT constant is that you can easily transfer the old hashes to the new algorithm (after adding). This happens as follows:
- When a user logs in, you verify your password with
password_verify() (any hash algorithm with the constant PASSWORD_<name> will work). - You call
password_needs_rehash() , and if the password just confirmed uses an older algorithm (or a lower "cost" parameter), it will return a logical TRUE.- If the logical TRUE was indeed returned, now you can replace the old hash with the one that uses the new algorithm; you can do this during login because the user just gave you the password and you confirmed that it is correct.
In conclusion, this is a really, really thought-out API, and it solves problems for you that you did not even think about. Do not worry about it.
Edit (noted in the comments):
It should be noted, however, that the new algorithms will very likely lead to an increase in the hash length, therefore, if you store passwords in the database, do not limit the length of the field (i.e. use the varchar(255) field).