Yogesh Chauhan's Blog

How to Use password_hash and password_verify to Secure Your User’s Data (Especially Passwords)?

in PHP on December 21, 2019

The new bcrypt() a popular hashing algorithm and new hashing API in PHP uses it for encryption.

I am going to show you how to use those functions to save your user's valuable data in a secure way.

To take user input and store it in a variable securely, we use password_hash().

password_hash()

Syntax:


password_hash ($password, $algorithm) 

It creates a new password using one-way hashing algorithm and it is also compatible with crypt().

To use password_hash() all we need to do is write down this line in PHP file:


$hash = password_hash($password, PASSWORD_DEFAULT);

In the line above, we are storing the password's hash value in a variable called $hash.

PASSWORD_DEFAULT is the bcrypt algorithm we use to create a password hash

$password is the actual password value entered by user. 

If you want to store password hash in your database, which I am sure you do, then keep that column's capacity beyond 60 characters. Because no matter what size of password user has entered, the password hash will be 60 or more characters long depending on the algorithm you choose.

The following algorithms are supported currently.

1. PASSWORD_DEFAULT 

2. PASSWORD_BCRYPT

3. PASSWORD_ARGON2I 

4. PASSWORD_ARGON2ID

There are few more options available to provide salt if you use PASSWORD_BCRYPT, PASSWORD_ARGON2I or PASSWORD_ARGON2ID. You can check out the official manual HERE.

Now if you store that password hash of 60+ characters long in your database then how will you compare the password in the future to give user access?

Well, PHP has another function called password_verify() to check that. Let's see how.

password_verify()

Syntax:


password_verify ($password, $hash) 

This function takes one argument as user's simple / plain password and then another argument as the hashed string we we just created. 

  • $password – password entered by user
  • $hash- hash password we created using password_hash

The function returns Boolean value as a result that means either TRUE or FALSE.

For example:


if (password_verify($password, $hash)) {
    echo "correct password!";
}
else {
    echo "incorrect password!";
}

It's as simple as that. You can always retrieves hashed string from database and compare it with user's plain password.


amazon

Most Read

#1 How to check if radio button is checked or not using JavaScript? #2 Solution to “TypeError: ‘x’ is not iterable” in Angular 9 #3 How to add Read More Read Less Button using JavaScript? #4 How to uninstall Cocoapods from the Mac OS? #5 PHP Login System using PDO Part 1: Create User Registration Page #6 How to Use SQL MAX() Function with Dates?

Recently Posted

#Aug 2 How to progressively load images and add a blurry placeholder? #Aug 1 How to create a placeholder loader (throbber) using CSS? #Aug 1 What is Zdog? #Aug 1 How to add before after image effect using pure CSS? #Jul 31 Add animation to your skills bar using CSS #Jul 31 Use SwiperJS to create mobile touch sliders fast
You might also like these
Effects in ReactReactRendering Elements in ReactReactThe difference between 400(4xx) and 500(5xx) errorsMiscellaneousHow to clean up after a plugin uninstall in WordPress?WordPressHow to deploy Angular App on Dreamhost or Amazon S3 or firebase?AngularHow to add Date and Time picker in HTML and get the values using JavaScript?HTML