SCryptHash()
Generates an SCrypt password hash. Use this instead of the deprecated GenerateSCryptHash().
Requires Extension: Crypto Extension
SCryptHash( input=string, costParameter=numeric, blockSize=numeric, parallelization=numeric );
Returns: String
| Argument | Description | Default |
|---|---|---|
|
input
string,
required
|
edit
Password to hash |
|
|
costParameter
numeric,
optional
|
edit
CPU/memory cost (N) - must be power of 2 |
16384 |
|
blockSize
numeric,
optional
|
edit
Block size (r) |
8 |
|
parallelization
numeric,
optional
|
edit
Parallelization factor (p) |
1 |
Usage Notes
editSCrypt is a memory-hard password hashing algorithm. It's harder to attack with GPUs/ASICs than BCrypt because it requires large amounts of memory.
Parameters: The cost parameter N must be a power of 2 (e.g. 4096, 8192, 16384). The defaults (N=16384, r=8, p=1) are reasonable for most applications. Increase N to make hashing slower and more memory-intensive.
For new applications, prefer Argon2Hash() which is easier to tune and was specifically designed to improve on SCrypt's design.
Replaces the deprecated GenerateSCryptHash().
Examples
edit// SCryptHash generates a memory-hard password hash
// Defaults: N=16384 (CPU/memory cost), r=8 (block size), p=1 (parallelism)
hash = SCryptHash( "my-secret-password" );
// Output format: $scrypt$ln=14,r=8,p=1$salt$hash
// Each call produces a different hash due to random salting
hash1 = SCryptHash( "password" );
hash2 = SCryptHash( "password" );
// hash1 != hash2
// Verify with SCryptVerify()
isValid = SCryptVerify( "my-secret-password", hash ); // true
// Custom cost parameters: N (must be a power of 2), r, p
// Higher N = more memory and CPU required
hash = SCryptHash( "password", 32768, 8, 1 );
See also
- Cryptography
- GenerateSCryptHash()
- SCryptVerify()
- VerifySCryptHash()
- Search Issue Tracker open_in_new
- Search Lucee Test Cases open_in_new (good for further, detailed examples)