Yogesh Chauhan's Blog

How to Use password_hash and password_verify to Secure Your User’s Data (Especially Passwords)?

in PHP on December 21, 2019

The new bcrypt() a popular hashing algorithm and new hashing API in PHP uses it for encryption.

I am going to show you how to use those functions to save your user's valuable data in a secure way.

To take user input and store it in a variable securely, we use password_hash().



password_hash ($password, $algorithm) 

It creates a new password using one-way hashing algorithm and it is also compatible with crypt().

To use password_hash() all we need to do is write down this line in PHP file:

$hash = password_hash($password, PASSWORD_DEFAULT);

In the line above, we are storing the password's hash value in a variable called $hash.

PASSWORD_DEFAULT is the bcrypt algorithm we use to create a password hash

$password is the actual password value entered by user. 

If you want to store password hash in your database, which I am sure you do, then keep that column's capacity beyond 60 characters. Because no matter what size of password user has entered, the password hash will be 60 or more characters long depending on the algorithm you choose.

The following algorithms are supported currently.





There are few more options available to provide salt if you use PASSWORD_BCRYPT, PASSWORD_ARGON2I or PASSWORD_ARGON2ID. You can check out the official manual HERE.

Now if you store that password hash of 60+ characters long in your database then how will you compare the password in the future to give user access?

Well, PHP has another function called password_verify() to check that. Let's see how.



password_verify ($password, $hash) 

This function takes one argument as user's simple / plain password and then another argument as the hashed string we we just created. 

  • $password – password entered by user
  • $hash- hash password we created using password_hash

The function returns Boolean value as a result that means either TRUE or FALSE.

For example:

if (password_verify($password, $hash)) {
    echo "correct password!";
else {
    echo "incorrect password!";

It's as simple as that. You can always retrieves hashed string from database and compare it with user's plain password.

Most Read

#1 How to check if radio button is checked or not using JavaScript? #2 Solution to “TypeError: ‘x’ is not iterable” in Angular 9 #3 How to add Read More Read Less Button using JavaScript? #4 How to uninstall Cocoapods from the Mac OS? #5 PHP Login System using PDO Part 1: Create User Registration Page #6 How to Use SQL MAX() Function with Dates?

Recently Posted

#Aug 15 Is PHP still good for back-end programming? #Aug 10 How to create a multisite network in WordPress? #Aug 3 How to create a circle that follows a cursor using JavaScript and CSS? #Aug 3 How to make a curtain slider using jQuery and CSS? #Aug 2 How to progressively load images and add a blurry placeholder? #Aug 1 How to create a placeholder loader (throbber) using CSS?
You might also like these
How to use @supports rule in CSS?CSSHow to get Current Year, Month and Date in JavaScript?JavaScriptHow to change the Login Logo in WordPress?WordPressHow to create a function in SCSS (Sass)?SCSSOptional arguments, Default parameters and REST parameters in JavaScriptJavaScriptHow to merge arrays in JavaScript?JavaScript