How to hash a password in PHP – SitePoint


It is important to know how to hash a password in any programming language. In this quick tip article, we explain how to do this in PHP and why hashing passwords is so important.

Every PHP programmer must at some point write an application that relies on user login to function properly. Usernames and passwords are typically stored in a database and then used for authentication. As we know, passwords should never be stored in plain text in the database: if the database is compromised, all passwords are available to malicious actors. Therefore, we need to learn how to hash a password.

Notice how we use the word Hash instead of encrypt? This is because hashing and encryption are very different processes that are often confused.


A hashing The function takes a string like mypassword123 and converts it into an encrypted version of the string, denoted as a Hash. For example, mypassword123 could be hashed to produce a seemingly random sequence of numbers and letters, e.g 9c87baa223f464954940f859bcf2e233. Hashing is a one-way function. Once you hash something, you end up with a fixed-length string—an operation that cannot be easily undone.

We can compare two hashes to verify that they both come from the same original string. Later in this article we will look at how we can implement this process using PHP.


Similar to hashing, encryption takes an input string and converts it into a seemingly random sequence of numbers and letters. However, encryption is a reversible process – if you know the encryption key. Because it’s a reversible process, it’s a poor choice for passwords, but it’s great for things like secure peer-to-peer messaging.

If we encrypt a password instead of hashing it, and the database we’re using is somehow accessed by a malicious third party, all user accounts will be compromised – which is obviously not a good scenario.


Passwords should be too salted before it is hashed. Salt is the action of adding a random string of characters to a password before hashing it.

By salting passwords we can prevent dictionary attacks (where the attacker systematically enters each word in the dictionary as a password) and Rainbow Table Attacks (where the attacker uses a list of hashes of common passwords).

In addition to salting, we should use a reasonably secure algorithm when hashing. This means it should be an algorithm that isn’t broken yet, and preferably a special purpose algorithm rather than a general purpose algorithm (like SHA512).

As of 2023, the recommended hashing algorithms are:

  • argon2
  • encrypt
  • bcrypt
  • PBKDF2

Hashing with PHP

Hashing on PHP has been simplified since PHP5.5 with the introduction of password_hash() Function.

Currently it uses bcrypt (by default) and supports other hashing algorithms like Argon2. The password_hash() The function also takes care of salting the password for us.

At the end the hashed password is returned. The costs And Salt are returned as part of the hash.

To put it simply, the costs in a password hash refers to the computational effort required to generate the hash. It’s like a measure of how “difficult” it is to create the hash. The higher the cost, the more difficult it is.

Imagine you want to bake a cake and the recipe for that cake says “beat the eggs for five minutes”. That’s the “cost” of making this cake. If you want to make the cake firmer, you can change the recipe and say “beat the eggs for ten minutes”. Now the cake takes longer to make, and that’s like the “cost” of making the cake goes up.

As we can read on password_hash() Documentation:

…all the information needed to verify the hash is in it. This allows (password_verify()) function to verify the hash without requiring a separate store for salt or algorithm information.

This ensures that we don’t need to store any additional information in our database to verify the hashback.

In practice it looks like this:

    $password = "sitepoint";

    $hashed_password = password_hash($password, PASSWORD_DEFAULT);

    if (password_verify($password, $hashed_password)) {
    } else {

More information about password_hash() The function can be found here, while password_verify() You will find here.


It is important for PHP programmers to understand the difference between hashing and encryption and to use hashing to store passwords to protect user accounts from compromise. The introduction of password_hash() The feature in PHP 5.5 made it easy for programmers to securely hash passwords using various algorithms, including Argon2 and bcrypt.

As described by Tom Butler in PHP & MySQL: Novice to Ninja:

Luckily, PHP offers a very secure way to hash passwords. It’s made by people who know a lot more about these things than you or I do, and it saves developers like us from having to fully understand the security issues that can arise. For this reason, it is highly recommended to use PHP’s built-in algorithm for hashing passwords instead of creating your own.

Be sure to take this into account and stay up to date with the latest recommended hashing algorithms to ensure the best possible security for your applications.

Source link

Like it? Share with your friends!



Your email address will not be published. Required fields are marked *