How to Hash Password in PHP

Olorunfemi Akinlua Feb 02, 2024
  1. Password Hashing in PHP
  2. Use password_hash() and password_verify() for Password Hashing in PHP
How to Hash Password in PHP

PHP is used for server-side development, and you will need passwords when building login and registration processes. For security purposes and privacy issues, we need to hash our passwords so that no one (including you and your database administrator) can know a user’s password.

However, when we hash the password, we need to rehash it when we want to log the person in. This article details what password hashing and how to use the PHP built-in functions, password_hash() and password_verify().

Password Hashing in PHP

Data collected from users are stored in databases, which are visible to anyone with access to the database. Usernames and addresses are often left as they are; they are not as important as the key to your accounts.

The string of text that is the user’s password is passed through hashing algorithms (bcrypt, md5, sha-1, sha-2) to prevent saving the passwords as they are and to create a scrambled representation of the text. This scrambled representation of the password is stored, and during login processes, the scrambled representation is compared.

The built-in password_hash() function makes use of the bcrypt algorithm which is what Auth0 recommends and uses for its client base. Also, the password_verify() function compares the password text to the hash and returns a Boolean value when the password matches a hash.

Use password_hash() and password_verify() for Password Hashing in PHP

When a user comes to your site and creates a new account, you, as the PHP developer, will ensure your application hashes the password. To do that, we apply the password_hash() function.

<?php

$password = "24FE21121@1*?"; // password the user imputs.
echo password_hash($password, PASSWORD_DEFAULT); // outputs the hashed password

?>

The output of the code snippet is:

$2y$10$YRmyqWGiHbDSI31XbD2DuOzmTKSjYSSgR.2.3rYCmSSFS/xlAtb3.

The code snippet uses the default hashing algorithm, which, according to PHP documentation, uses the bcrypt algorithm. If we intend to change the hashing algorithm, we can change the function’s second argument.

There are three other possible arguments (hashing algorithm) that we can use. The PASSWORD_BCRYPT, PASSWORD_ARGON2I, and PASSWORD_ARGON2ID are arguments supported.

The PASSWORD_BCRYPT uses the CRYPT_BLOWFISH algorithm, PASSWORD_ARGON2I uses the Argon2i hashing algorithm, and the PASSWORD_ARGON2ID makes use of the Argon2id hashing algorithm. To better understand how each algorithm works, check out the PHP password hash documentation.

Let’s try the PASSWORD_BCRYPT parameter in our code.

<?php

$password = "24FE21121@1*?"; // password the user imputs.
echo password_hash($password, PASSWORD_DEFAULT); // outputs the hashed password

?>

The output of the code snippet is:

$2y$10$vNfovWay8hSq5ixa/lOPK.4YMVX1kgYCBPDEdvz3zM/EBUiBUukpO

Both the PASSWORD_DEFAULT and PASSWORD_BCRYPT make use of the $2y$ identifier and will produce 60 characters string. With the above process, we have successfully hashed the user’s password.

Now, if the user wants to log in to his account, we need to compare the password they input to the hashed password. That is where password_verify() comes to play.

We can compare the password and the stored hashed password with the built-in function.

<?php

$password = "24FE21121@1*?";
$hashed_password ='$2y$10$YRmyqWGiHbDSI31XbD2DuOzmTKSjYSSgR.2.3rYCmSSFS/xlAtb3.';

print_r(password_verify($password, $hashed_password));

?>

The output of the code snippet is:

1

In PHP, 1 represents true and 0 represents false.

Let’s try the password_verify() function on the hashed password produced by the PASSWORD_BCRYPT parameter.

<?php

$password = "24FE21121@1*?";
$hashed_password = '$2y$10$vNfovWay8hSq5ixa/lOPK.4YMVX1kgYCBPDEdvz3zM/EBUiBUukpO';

print_r(password_verify($password, $hashed_password));

?>

The output of the code snippet is:

1

The reason the password_verify() function can work regardless of the hashed password we use is because the function verifies the given hash matches that are compatible with crypt(), which is both. Also, the functions return the algorithm, cost, and salt as part of the returned hash and are safe against timing attacks.

To improve your hash result, specify the cost and salt options in the password_hash() function. However, if you don’t understand how to use it, it can greatly affect your security.

To check if the password_verify() function will catch a wrong password, let us place an incorrect password (change from 24FE21121@1*? to 24Fqqw1121@1*?).

<?php

$password = "24Fqqw1121@1*?";
$hashed_password = '$2y$10$vNfovWay8hSq5ixa/lOPK.4YMVX1kgYCBPDEdvz3zM/EBUiBUukpO';

if (password_verify($password, $hashed_password)) {
    echo "Password Matches!";
} else {
    echo "Wrong Password";
}

?>

The output of the code snippet is:

Wrong Password

If we use it within the context of an actual login process, the code could look like this:

<?php
$connect = mysqli_connect($localhost, $username, $password, $database);

if (isset($_POST['submit'])) {
    extract($_POST);

    // retrive stored hashed password
    $sqlQuery = mysqli_query($connect, "SELECT * FROM USERTABLE WHERE USER='$username'");
    $fetch = mysqli_fetch_array($sqlQuery);
    $currentPassword = $fetch['hashPassword'];

    if (password_verify($enteredPassword, $currentPassword)) {
        // password matches
        $_SESSION['id'] = $fetch['id'];
        header("location: home.php");
    } else {
        // password doesn't match
        $output = "Wrong Passworfd";
    }
}
Olorunfemi Akinlua avatar Olorunfemi Akinlua avatar

Olorunfemi is a lover of technology and computers. In addition, I write technology and coding content for developers and hobbyists. When not working, I learn to design, among other things.

LinkedIn

Related Article - PHP Password