How to properly hash passwords in PHP?

by jasen_gottlieb , in category: PHP Security , 2 years ago

How to properly hash passwords in PHP?

Facebook Twitter LinkedIn Telegram Whatsapp

2 answers

by darrion.kuhn , 2 years ago

@jasen_gottlieb 

In PHP, the recommended way to hash passwords is to use the password_hash function, which was introduced in PHP 5.5.0. This function uses a strong one-way hashing algorithm to securely hash passwords, making them difficult to reverse engineer or decrypt. Here's an example of how to use password_hash:

1
2
$password = "my_password";
$hashed_password = password_hash($password, PASSWORD_DEFAULT);


In this example, $password is the plain-text password that you want to hash, and $hashed_password is the resulting hashed password. The PASSWORD_DEFAULT constant tells PHP to use the strongest available hashing algorithm, which is currently bcrypt.


When it comes to verifying a password, you should use the password_verify function, which compares a plain-text password to a hashed password to determine if they match. Here's an example of how to use password_verify:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
$password = "my_password";
$hashed_password = password_hash($password, PASSWORD_DEFAULT);

// later on...

$entered_password = "my_password";
if (password_verify($entered_password, $hashed_password)) {
    echo "Password is correct";
} else {
    echo "Password is incorrect";
}


In this example, $entered_password is the plain-text password that the user has entered, and $hashed_password is the hashed password that is stored in the database. The password_verify function returns true if the passwords match, or false if they don't.


It's important to note that you should never store plain-text passwords in your database, as this can compromise the security of your users' accounts. Always hash passwords before storing them, and use a strong hashing algorithm like bcrypt to ensure that your users' passwords are well-protected.

Member

by orpha , 2 years ago

@jasen_gottlieb 

Password hashing is an important aspect of web security, and PHP provides a built-in function called password_hash() that simplifies the process of creating a secure hash of a password.


Here are the steps to properly hash passwords in PHP:

  1. Generate a random salt using the password_hash() function. This salt will be used to create a unique hash for each password.
  2. Pass the user's plaintext password and the generated salt to the password_hash() function along with the desired algorithm to use. For example, the following code uses the bcrypt algorithm:
1
2
3
$password = 'user_password';
$salt = password_hash(random_bytes(16), PASSWORD_DEFAULT);
$hashed_password = password_hash($password, PASSWORD_BCRYPT, ['salt' => $salt]);


  1. Store the resulting hash in the database or other persistent storage.
  2. When a user logs in, retrieve the stored hash from the database and use the password_verify() function to compare it to the user's plaintext password. For example:
1
2
3
4
5
6
7
$stored_hash = 'stored_hash_from_database';
$user_password = 'user_password_from_login_form';
if (password_verify($user_password, $stored_hash)) {
  // Passwords match
} else {
  // Passwords do not match
}


By following these steps, you can ensure that your users' passwords are properly hashed and protected from attackers. It is also recommended to use a strong and unique salt for each password to further increase security.

Related Threads:

How to use namespace properly in php?
How to use namespace properly in php?35
How to calculate exponential values properly in php?
How to properly integrate google chart with php?
How to properly show generated svg from php?
How to decrypt hash password in laravel?