How to Hash Passwords in PHP
Hashing passwords before storing them is an essential element in the security of a web application. It can be problematic setting up your own solution for this with no security holes. Thankfully newer versions of PHP have a cryptographically secure password hashing function built-in.
In this guide, we will go through how to hash passwords in PHP and discuss methods of hashing you should avoid.
Hash a Password
The correct way to hash passwords in PHP is by using the built-in
password_hash utility. Let's have a look at the syntax of the function.
password_hash($string, PASSWORD_DEFAULT, $options)
The first argument (
$string) is the original password that has been entered.
The second optional argument is the hashing algorithm to use. As of PHP 7.0.0, the following options can be entered:
PASSWORD_DEFAULT- Use the bcrypt algorithm (default as of PHP 5.5.0)
PASSWORD_BCRYPT- Use CRYPT_BLOWFISH algorithm
PASSWORD_ARGON2I- Use Argon2i algorithm
PASSWORD_ARGON2ID- Use Argon2id algorithm
In most cases, bcrypt will be a perfectly adequate method of hashing.
The third optional argument is an array of options implemented by the following array keys:
saltdepreciated since PHP 7.0.0
cost- an integer of the complexity of the hash (default is 10)
The following extra options are available if using
memory_cost- integer in kibibytes of maximum memory to use
time_cost- integer in seconds for the maximum compute time
threads- number of threads to use
Below we are creating a bcrypt hash and using it in a variable that can be used to store the hash in a database.
$hash = password_hash('password', PASSWORD_DEFAULT);
Note - make sure the database password column has 255 characters in length available to ensure the complete hash can always be saved.
Check If a Password Needs Rehashing
To check if the given hash matches the given options and is therefore valid, you can use the
$matches = password_needs_rehash($hash, PASSWORD_DEFAULT, $options);
Verify a Password Matches a Hash
To verify a password a user has entered matches a hash in PHP, use the
password_verify utility. It returns
$valid = password_verify($password, $hash);
Get Info About a Hash
To get information about a hash in PHP, use the
password_get_info utility. It returns an array of information about the hash.
$info = password_get_info($hash);
[ "algo" => 1, "algoName" => "bcrypt", "options" => [ "cost" => 10 ] ];
Things to Avoid
Do not use
sha1 as they are not secure enough against brute force hash matching.
Don't generate your own salt.
As of PHP 7.0.0, the salt option is depreciated due to PHP's cryptographically secure salt being a better solution than any custom salt. If you see the salt key in an options array for
password_hash you should remove it.
$options = [ 'salt' => custom_salt_function(), ]; $hash = password_hash($your_password, PASSWORD_DEFAULT, $options);
You now know how to create secure password hashes in PHP and validate them.