We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

Security checkHash Takes Long Time


checkHash method under security class takes 25-30ms. Is it Ok?

private function _checkUser( Request $request ) {

    $username = $request->getQuery( 'username' );
    $password = $request->getQuery( 'password' );

    //Check username and password
    $user = Users::findFirst( array(
            "cache" => array( "key" => "users-cache", "lifetime" => 20 )
        ) );
    if ( $user ) {
        if ( $this->security->checkHash( $password, $user->password ) ) {
            return true;
        }else {
            return false;
    else {
        return false;

Without checkHash it takes only 4 ms.

Please suggest.

Thanks & Regards Tapan Thapa

Yes. Time it takes to verify the hash greatly depends on the work factor parameter of Phalcon\Security::hash(). The work factor (aka cost) is none other than base-2 logarithm of the iteration count for the underlying Blowfish-based hashing algorithm (see http://php.net/crypt). Say, if the work factor is 20, the original password is iteratively hashed 2^20 times. This is used to make brute force attacks not feasible.

Ok..So do you recommend using Crypt class for faster decryption of password. (http://docs.phalcon.io/en/latest/reference/crypt.html)

No :-) Phalcon\Security uses crypt() internally, I just tried to explain why checkHash() takes much time.