How to properly hash passwords in PHP?

by jasen_gottlieb , in category: PHP Security , a year ago

How to properly hash passwords in PHP?

Facebook Twitter LinkedIn Telegram Whatsapp

2 answers

by darrion.kuhn , a year ago

@jasen_gottlieb 

In PHP, the recommended way to hash passwords is to use the password_hash function, which was introduced in PHP 5.5.0. This function uses a strong one-way hashing algorithm to securely hash passwords, making them difficult to reverse engineer or decrypt. Here's an example of how to use password_hash:

1
2
$password = "my_password";
$hashed_password = password_hash($password, PASSWORD_DEFAULT);


In this example, $password is the plain-text password that you want to hash, and $hashed_password is the resulting hashed password. The PASSWORD_DEFAULT constant tells PHP to use the strongest available hashing algorithm, which is currently bcrypt.


When it comes to verifying a password, you should use the password_verify function, which compares a plain-text password to a hashed password to determine if they match. Here's an example of how to use password_verify:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
$password = "my_password";
$hashed_password = password_hash($password, PASSWORD_DEFAULT);

// later on...

$entered_password = "my_password";
if (password_verify($entered_password, $hashed_password)) {
    echo "Password is correct";
} else {
    echo "Password is incorrect";
}


In this example, $entered_password is the plain-text password that the user has entered, and $hashed_password is the hashed password that is stored in the database. The password_verify function returns true if the passwords match, or false if they don't.


It's important to note that you should never store plain-text passwords in your database, as this can compromise the security of your users' accounts. Always hash passwords before storing them, and use a strong hashing algorithm like bcrypt to ensure that your users' passwords are well-protected.

Member

by orpha , 10 months ago

@jasen_gottlieb 

Password hashing is an important aspect of web security, and PHP provides a built-in function called password_hash() that simplifies the process of creating a secure hash of a password.


Here are the steps to properly hash passwords in PHP:

  1. Generate a random salt using the password_hash() function. This salt will be used to create a unique hash for each password.
  2. Pass the user's plaintext password and the generated salt to the password_hash() function along with the desired algorithm to use. For example, the following code uses the bcrypt algorithm:
1
2
3
$password = 'user_password';
$salt = password_hash(random_bytes(16), PASSWORD_DEFAULT);
$hashed_password = password_hash($password, PASSWORD_BCRYPT, ['salt' => $salt]);


  1. Store the resulting hash in the database or other persistent storage.
  2. When a user logs in, retrieve the stored hash from the database and use the password_verify() function to compare it to the user's plaintext password. For example:
1
2
3
4
5
6
7
$stored_hash = 'stored_hash_from_database';
$user_password = 'user_password_from_login_form';
if (password_verify($user_password, $stored_hash)) {
  // Passwords match
} else {
  // Passwords do not match
}


By following these steps, you can ensure that your users' passwords are properly hashed and protected from attackers. It is also recommended to use a strong and unique salt for each password to further increase security.