password_hash() / password_verify()
Functions for securely hashing and verifying passwords. These are essential security features for implementing user authentication.
Syntax
// Hashes a password. password_hash($password, $algo, $options); // Verifies a password against a hash. password_verify($password, $hash); // Checks whether a hash needs to be recomputed. password_needs_rehash($hash, $algo, $options);
Functions
| Function | Description |
|---|---|
| password_hash($password, $algo, $options) | Hashes a password and returns the result. Each call produces a different hash even for the same password. A salt is added automatically, so you do not need to manage salts manually. |
| password_verify($password, $hash) | Checks whether a plain-text password matches a hash. Returns true if they match, or false otherwise. |
| password_needs_rehash($hash, $algo, $options) | Checks whether an existing hash matches the current algorithm and cost settings. If it returns true, you should rehash the password. |
Common Algorithm Constants
| Constant | Description |
|---|---|
| PASSWORD_DEFAULT | Automatically selects the algorithm recommended by PHP. bcrypt is used in PHP 5.5–7.x and currently in PHP 8.x as well, though this may change in future versions. Ensure the column storing hashes is at least 255 characters wide. |
| PASSWORD_BCRYPT | Uses the bcrypt algorithm, which always produces a 60-character hash. The cost option lets you adjust the CPU load. |
| PASSWORD_ARGON2ID | Uses the Argon2id algorithm. Available since PHP 7.3, it is a newer algorithm than bcrypt. |
Sample Code
<?php
// Hash a password.
$password = "my_secure_password";
$hash = password_hash($password, PASSWORD_DEFAULT);
echo $hash; // Outputs a 60-character hash such as '$2y$10$...'.
// Each call produces a different hash, even for the same password.
$hash1 = password_hash($password, PASSWORD_DEFAULT);
$hash2 = password_hash($password, PASSWORD_DEFAULT);
var_dump($hash1 === $hash2); // Outputs 'bool(false)' because the salts differ.
// Verify a password using password_verify().
if (password_verify("my_secure_password", $hash)) {
echo "Authentication succeeded.";
} else {
echo "Incorrect password.";
}
// Example login flow.
$input_password = $_POST['password'] ?? '';
$stored_hash = '$2y$10$abcdefghijklmnopqrstuuABCDEFGHIJKLMNOPQRSTUVWXYZ012'; // Hash retrieved from the database.
if (password_verify($input_password, $stored_hash)) {
// Rehash if needed.
if (password_needs_rehash($stored_hash, PASSWORD_DEFAULT)) {
$new_hash = password_hash($input_password, PASSWORD_DEFAULT);
// Update the stored hash in the database with $new_hash.
}
echo "Login successful.";
} else {
echo "Login failed.";
}
// Specifying a cost option.
$options = ['cost' => 12]; // Default is 10. Higher values are more secure but slower.
$hash = password_hash($password, PASSWORD_BCRYPT, $options);
Notes
password_hash() is PHP's standard function for storing passwords securely. It automatically adds a random salt and hashes the password using a strong algorithm such as bcrypt. Always use password_hash() to store passwords. Never hash passwords with md5() or sha1(). Those functions are far too fast and are vulnerable to brute-force attacks.
password_verify() automatically reads the salt and algorithm from the hash, so you do not need to manage the salt separately during verification. It also performs a timing-safe comparison to protect against timing attacks.
password_needs_rehash() determines whether an existing hash should be recomputed under the new algorithm or cost settings. Adding this check on a successful login lets you migrate users to stronger settings gradually without any disruption. For general information about hash generation, see hash().
If you find any errors or copyright issues, please contact us.
シェアする