public function generatePasswordHash($password, $cost = null) { if ($cost === null) { $cost = $this->passwordHashCost; } if (function_exists('password_hash')) { /** @noinspection PhpUndefinedConstantInspection */ return password_hash($password, PASSWORD_DEFAULT, ['cost' => $cost]); } $salt = $this->generateSalt($cost); $hash = crypt($password, $salt); // strlen() is safe since crypt() returns only ascii if (!is_string($hash) || strlen($hash) !== 60) { throw new Exception('Unknown error occurred while generating hash.'); } return $hash; }

public function validatePassword($password, $hash) { if (!is_string($password) || $password === '') { throw new InvalidParamException('Password must be a string and cannot be empty.'); } if (!preg_match('/^\$2[axy]\$(\d\d)\$[\.\/0-9A-Za-z]{22}/', $hash, $matches) || $matches[1] < 4 || $matches[1] > 30 ) { throw new InvalidParamException('Hash is invalid.'); } if (function_exists('password_verify')) { return password_verify($password, $hash); } $test = crypt($password, $hash); $n = strlen($test); if ($n !== 60) { return false; } return $this->compareString($test, $hash); }

/** * @var string strategy, which should be used to generate password hash. * Available strategies: * - 'password_hash' - use of PHP `password_hash()` function with PASSWORD_DEFAULT algorithm. * This option is recommended, but it requires PHP version >= 5.5.0 * - 'crypt' - use PHP `crypt()` function. * @deprecated Since version 2.0.7, [[generatePasswordHash()]] ignores [[passwordHashStrategy]] and * uses `password_hash()` when available or `crypt()` when not. */

也就说在2.0.7之后就默认会使用`password_hash`,如果不存在此方法会使用`crypt`