YogeshChauhan . com

How to Use password_hash and password_verify to Secure Your User’s Data (Especially Passwords)?

in PHP on December 21, 2019

The new bcrypt() a popular hashing algorithm and new hashing API in PHP uses it for encryption.

I am going to show you how to use those functions to save your user's valuable data in a secure way.

To take user input and store it in a variable securely, we use password_hash().

password_hash()

Syntax:


password_hash ($password, $algorithm) 

It creates a new password using one-way hashing algorithm and it is also compatible with crypt().

To use password_hash() all we need to do is write down this line in PHP file:


$hash = password_hash($password, PASSWORD_DEFAULT);

In the line above, we are storing the password's hash value in a variable called $hash.

PASSWORD_DEFAULT is the bcrypt algorithm we use to create a password hash

$password is the actual password value entered by user. 

If you want to store password hash in your database, which I am sure you do, then keep that column's capacity beyond 60 characters. Because no matter what size of password user has entered, the password hash will be 60 or more characters long depending on the algorithm you choose.

The following algorithms are supported currently.

1. PASSWORD_DEFAULT 

2. PASSWORD_BCRYPT

3. PASSWORD_ARGON2I 

4. PASSWORD_ARGON2ID

There are few more options available to provide salt if you use PASSWORD_BCRYPT, PASSWORD_ARGON2I or PASSWORD_ARGON2ID. You can check out the official manual HERE.

Now if you store that password hash of 60+ characters long in your database then how will you compare the password in the future to give user access?

Well, PHP has another function called password_verify() to check that. Let's see how.

password_verify()

Syntax:


password_verify ($password, $hash) 

This function takes one argument as user's simple / plain password and then another argument as the hashed string we we just created. 

  • $password – password entered by user
  • $hash- hash password we created using password_hash

The function returns Boolean value as a result that means either TRUE or FALSE.

For example:


if (password_verify($password, $hash)) {
    echo "correct password!";
}
else {
    echo "incorrect password!";
}

It's as simple as that. You can always retrieves hashed string from database and compare it with user's plain password.

dreamhost

Most Read

#1 How to check if radio button is checked or not using JavaScript? #2 Solution to “TypeError: ‘x’ is not iterable” in Angular 9 #3 How to uninstall Cocoapods from the Mac OS? #4 How to add Read More Read Less Button using JavaScript? #5 How to Use SQL MAX() Function with Dates? #6 PHP Login System using PDO Part 1: Create User Registration Page

Recently Posted

May 5 Use inline if to make a shorter conditional syntax in React May 4 What is Conditional Rendering in React? May 3 How does @extend rule work in SCSS (Sass)? May 2 How different is Handling Events in React vs HTML DOM? May 2 How to create bouncing balls using HTML canvas and JavaScript? Apr 30 HTML canvas methods

You might also like these

Why does MOV matter in IT or any kind of projects?MiscHow to change style of nth-child using jQuery?jQueryHow to host Google fonts on your server and add them using CSS?CSSCrypto.getRandomValues() method in JavaScriptJavaScriptA Quick Guide to Object-Oriented Programming in PHPPHPHow to verify your domain in Google Console with a TXT record?Misc