Yogesh Chauhan's Blog

How to Use password_hash and password_verify to Secure Your User’s Data (Especially Passwords)?

in PHP on December 21, 2019

The new bcrypt() a popular hashing algorithm and new hashing API in PHP uses it for encryption.

I am going to show you how to use those functions to save your user's valuable data in a secure way.

To take user input and store it in a variable securely, we use password_hash().

password_hash()

Syntax:


password_hash ($password, $algorithm) 

It creates a new password using one-way hashing algorithm and it is also compatible with crypt().

To use password_hash() all we need to do is write down this line in PHP file:


$hash = password_hash($password, PASSWORD_DEFAULT);

In the line above, we are storing the password's hash value in a variable called $hash.

PASSWORD_DEFAULT is the bcrypt algorithm we use to create a password hash

$password is the actual password value entered by user. 

If you want to store password hash in your database, which I am sure you do, then keep that column's capacity beyond 60 characters. Because no matter what size of password user has entered, the password hash will be 60 or more characters long depending on the algorithm you choose.

The following algorithms are supported currently.

1. PASSWORD_DEFAULT 

2. PASSWORD_BCRYPT

3. PASSWORD_ARGON2I 

4. PASSWORD_ARGON2ID

There are few more options available to provide salt if you use PASSWORD_BCRYPT, PASSWORD_ARGON2I or PASSWORD_ARGON2ID. You can check out the official manual HERE.

Now if you store that password hash of 60+ characters long in your database then how will you compare the password in the future to give user access?

Well, PHP has another function called password_verify() to check that. Let's see how.

password_verify()

Syntax:


password_verify ($password, $hash) 

This function takes one argument as user's simple / plain password and then another argument as the hashed string we we just created. 

  • $password – password entered by user
  • $hash- hash password we created using password_hash

The function returns Boolean value as a result that means either TRUE or FALSE.

For example:


if (password_verify($password, $hash)) {
    echo "correct password!";
}
else {
    echo "incorrect password!";
}

It's as simple as that. You can always retrieves hashed string from database and compare it with user's plain password.


Most Read

#1 Solution to the error “Visual Studio Code can’t be opened because Apple cannot check it for malicious software” #2 How to add Read More Read Less Button using JavaScript? #3 How to check if radio button is checked or not using JavaScript? #4 Solution to “TypeError: ‘x’ is not iterable” in Angular 9 #5 How to uninstall Cocoapods from the Mac OS? #6 PHP Login System using PDO Part 1: Create User Registration Page

Recently Posted

#Apr 8 JSON.stringify() in JavaScript #Apr 7 Middleware in NextJS #Jan 17 4 advanced ways to search Colleague #Jan 16 Colleague UI Basics: The Search Area #Jan 16 Colleague UI Basics: The Context Area #Jan 16 Colleague UI Basics: Accessing the user interface
You might also like these
What are Conditional Tags in WordPress?WordPressMiddleware in NextJSNextJSSlider animation using CSS transform propertyCSSHow to Remove PHP File Extensions From Your Website URLs?PHPSolution for Xcode 11 Command PhaseScriptExecution failed with a nonzero exit code errorMiscellaneousWhat is XP (Extreme Programming) and When should it be used?Miscellaneous