YogeshChauhan.com
How to Use password_hash and password_verify to Secure Your User’s Data (Especially Passwords)?
December 21, 2019

The new bcrypt() a popular hashing algorithm and new hashing API in PHP uses it for encryption.

I am going to show you how to use those functions to save your user's valuable data in a secure way.

To take user input and store it in a variable securely, we use password_hash().

password_hash()

Syntax:


password_hash ($password, $algorithm) 

It creates a new password using one-way hashing algorithm and it is also compatible with crypt().

To use password_hash() all we need to do is write down this line in PHP file:


$hash = password_hash($password, PASSWORD_DEFAULT);

In the line above, we are storing the password's hash value in a variable called $hash.

PASSWORD_DEFAULT is the bcrypt algorithm we use to create a password hash

$password is the actual password value entered by user. 

If you want to store password hash in your database, which I am sure you do, then keep that column's capacity beyond 60 characters. Because no matter what size of password user has entered, the password hash will be 60 or more characters long depending on the algorithm you choose.

The following algorithms are supported currently.

1. PASSWORD_DEFAULT 

2. PASSWORD_BCRYPT

3. PASSWORD_ARGON2I 

4. PASSWORD_ARGON2ID

There are few more options available to provide salt if you use PASSWORD_BCRYPT, PASSWORD_ARGON2I or PASSWORD_ARGON2ID. You can check out the official manual HERE.

Now if you store that password hash of 60+ characters long in your database then how will you compare the password in the future to give user access?

Well, PHP has another function called password_verify() to check that. Let's see how.

password_verify()

Syntax:


password_verify ($password, $hash) 

This function takes one argument as user's simple / plain password and then another argument as the hashed string we we just created. 

  • $password – password entered by user
  • $hash- hash password we created using password_hash

The function returns Boolean value as a result that means either TRUE or FALSE.

For example:


if (password_verify($password, $hash)) {
    echo "correct password!";
}
else {
    echo "incorrect password!";
}

It's as simple as that. You can always retrieves hashed string from database and compare it with user's plain password.

dreamhost

Leave a Reply

Most Read

#1 How to check if radio button is checked or not using JavaScript? #2 How to set opacity or transparency using CSS? #3 Pagination in CSS with multiple examples #4 How to make HTML form interactive and using CSS? #5 Solution to “TypeError: ‘x’ is not iterable” in Angular 9 #6 How to uninstall Cocoapods from the Mac OS?

Recently Posted

Mar 2 How to zoom an element on hover using CSS? Mar 2 the box-sizing property in CSS Mar 2 WordPress: How to access first and random row values from a repeater field in ACF? Mar 1 The basics of CSS Box model Feb 27 WordPress: How to display slider repeater fields in ACF? Feb 26 Simple Page Hit Counter in PHP

You might also like these

The Difference Between Arrays and Objects in JavaScriptJavaScriptThe difference between 400(4xx) and 500(5xx) errorsMiscCustom Post Type Template Files in WordPressWordPressJavaScript String fromCharCode() MethodJavaScriptCan Firewall and IDPS Stop DDoS Attack?MiscHow to animate list items using CSS and JavaScript?CSS