Securely Hash Passwords with PHP | How to work with users' passwords and how to securely hash passwords in PHP?

Hashing passwords with md5 (or sha1, or even sha256) is not safe anymore, because these hashes can be decrypted very easily.This is still not good enough though (rainbow tables). PHP 5.5+ came with a password_hash function to generate secure, one-way hashing along with a password_verify function to match a hashed password with the given password. For a developer security is always a priority so you should always be securely storing user passwords. We has passwords due to security concern and information leakage concern. If we store passwords in plain text then it can be compromised of information very easily.

PASSWORD_DEFAULT, PASSWORD_BCRYPT and (as of PHP >= 7.2.0) PASSWORD_ARGON2I are the password hashing algorithm options. Currently, the options PASSWORD_DEFAULT and PASSWORD_BCRYPT will both result in the use of the BCRYPT hashing algorithm, making them essentially the same.

PASSWORD_BCRYPT will create the hash of 60 characters.
PASSWORD_DEFAULT will also create the hash of 60 characters because currently it is also using BCRYPT hashing algorithm but if you are using PASSWORD_DEFAULT then it is recommended that keep database column size of 255 characters because this constant(PASSWORD_DEFAULT) is designed to change over time as new and stronger algorithms are added to PHP.

Another important option to mention is the cost, which controls the hash speed. It's recommended to test the cost before on your server before using it on productions.On servers with better resources, cost can be increased.It's good security practice is to try increasing this to a higher value than the default (10).

It is strongly recommended that you do not generate your own salt for this function. It will create a secure salt automatically for you if you do not specify one.

You also can use a randomly generated salt to hash the password like:

If you are using PHP >= 7.2.0 you also have option to use PASSWORD_ARGON2I. PASSWORD_ARGON2I uses Argon2 algorithm to hash the passwords.

PHP 5.5+ also provides a function to match the hashed password with the original password. You can verify the password which is hashed with the original password like:


Share This:

Leave a Reply

Your email address will not be published. Required fields are marked *