How to Hash Passwords in PHP

John on July 08, 2020

Hashing passwords before storing them is an essential element in the security of a web application. It can be problematic setting up your own solution for this with no security holes. Thankfully newer versions of PHP have a cryptographically secure password hashing function built-in.

In this guide, we will go through how to hash passwords in PHP and discuss methods of hashing you should avoid.

Hash a Password

The correct way to hash passwords in PHP is by using the built-in password_hash utility. Let's have a look at the syntax of the function.

password_hash($string, PASSWORD_DEFAULT, $options)

The first argument ($string) is the original password that has been entered.

The second optional argument is the hashing algorithm to use. As of PHP 7.0.0, the following options can be entered:

• PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0)
• PASSWORD_BCRYPT - Use  CRYPT_BLOWFISH algorithm
• PASSWORD_ARGON2I - Use  Argon2i algorithm
• PASSWORD_ARGON2ID - Use  Argon2id algorithm

In most cases, bcrypt will be a perfectly adequate method of hashing.

The third optional argument is an array of options implemented by the following array keys:

• salt depreciated since PHP 7.0.0
• cost - an integer of the complexity of the hash (default is 10)

The following extra options are available if using PASSWORD_ARGON2I or PASSWORD_ARGON2ID

• memory_cost - integer in kibibytes of maximum memory to use
• time_cost - integer in seconds for the maximum compute time
• threads - number of threads to use

Basic Usage

Below we are creating a bcrypt hash and using it in a variable that can be used to store the hash in a database.

$hash = password_hash('password', PASSWORD_DEFAULT);

Note - make sure the database password column has 255 characters in length available to ensure the complete hash can always be saved.

Check If a Password Needs Rehashing

To check if the given hash matches the given options and is therefore valid, you can use the password_needs_rehash function.

$matches = password_needs_rehash($hash, PASSWORD_DEFAULT, $options);

Verify a Password Matches a Hash

To verify a password a user has entered matches a hash in PHP, use the password_verify utility. It returns true or false.

$valid = password_verify($password, $hash);

true

Get Info About a Hash

To get information about a hash in PHP, use the password_get_info utility. It returns an array of information about the hash.

$info = password_get_info($hash);

[
  "algo" => 1,
  "algoName" => "bcrypt",
  "options" => [
    "cost" => 10
  ]
];

Things to Avoid

Do not use md5, or sha1 as they are not secure enough against brute force hash matching.

md5(str)
sha1(str)

Don't generate your own salt.

As of PHP 7.0.0, the salt option is depreciated due to PHP's cryptographically secure salt being a better solution than any custom salt. If you see the salt key in an options array for password_hash you should remove it.

$options = [
    'salt' => custom_salt_function(), 
];

$hash = password_hash($your_password, PASSWORD_DEFAULT, $options);

Conclusion

You now know how to create secure password hashes in PHP and validate them.