Hi internals, I just spent some time debugging an authentication issue after upgrading PHP, and realized that it was due to ext-sodium not being installed, so password_verify() would always return false for argon2i hashes.
Digging a bit more, I realized that password_verify() does not complain if the algorithm is unknown, or if the hash string is malformed: var_export(password_verify('passw0rd', 'any/string%as|a$hash')); // false Shouldn't it throw an exception, or a least trigger a warning, when the algorithm is unknown, or the hash is malformed? Returning false IMO, should mean "I recognize this hash, but it doesn't match your password". "I don't recognize this hash" is an application issue and should be reported. What do you think? — Benjamin