Hashing password is a technique of converting a single password into another string called hashed password. The hashed password is generally one-way, i.e. we can’t go to the original password from the hashed password. So the thing is why we needed to use hashing to do all this stuff, why going one more mile if we can save our passwords into the database as a simple string. The one and only reason for doing all these is to enhance security because the hackers don’t steal credentials from our valuable site. So that’s why we use various hashing methods to hash passwords to secure our passwords while creating websites and storing our database. In PHP, there are various cryptographic algorithms that are commonly used like md5, crypt, sha1, and bcrypt. And the most commonly used nowadays is bcrypt hashing method. In this article, we are going to learn about bcrypt hashing method in PHP.
PHP provides a general password hashing function for creating a new password hash from the password.
Syntax:
string password_hash(string $password, string $algo, array $options = [])
Here, the password_hash function takes mainly three parameters that are:
- $password: The password that you want to hash it takes a string value.
- $algo: The algorithm that you want to use to hash the password. Following are the password algorithms available in PHP.
- PASSWORD_BCRYPT: It uses the CRYPT_BLOWFISH algorithm to create the hash.
- PASSWORD_ARGON2I: It uses the Argon2i algorithm for hashing.
- PASSWORD_ARGON2ID: It uses the Argon2id algorithm for hashing.
- PASSWORD_DEFAULT: It uses the bcrypt algorithm for hashing.
- $options: It takes a salt value The default value is a random salt value. A salt value, an extra string that we append to a string while hashing.
Return Value: It returns a hashed password string.
Example:
PHP
<?php $password = "neveropen" ; echo "Password is:" , $password ; echo "Hashed password using CRYPT_BLOWFISH: " , password_hash( $password , PASSWORD_BCRYPT); echo "\n" ; echo "Hashed password using Argon2i: " , password_hash( $password , PASSWORD_ARGON2I); echo "\n" ; echo "Hashed password using bcrypt: " , password_hash( $password , PASSWORD_DEFAULT); ?> |
Output:
Password is: neveropen
Hashed password using CRYPT_BLOWFISH: $2y$10$V4Cvy4caGAQBLWbw8i/PHOK9lopTYoxyQze3aZ3ocw9dDvju7Wxoi
Hashed password using Argon2i: $argon2i$v=19$m=65536,t=4,p=1$Y2F2TVouVWplYVYucy9DSw$p164c28N85L5v1i8GISN1oao10ZzNm9e/JAyicRaX/w
Hashed password using bcrypt: $2y$10$MQU3vDgoN10.JxyJ1m9UQOEqFy.Jg3D8tmHdZUAAkcpGFRwkbbLfi
Note: We have not used PASSWORD_ARGON2ID because it is not available in standard PHP installation.
To verify the hashed password: PHP provides an inbuilt function called password_verify to match the hashed password to the original passwords.
Syntax:
bool password_verify(string $password, string $hash)
Parameters:
- $password: The password that we have hashed using a hashing algorithm.
- $hash: The hashed password that we are going to verify with the original password.
Example:
PHP
<?php $password = "neveropen" ; $hashed_password = '$2y$10$MQU3vDgoN10.JxyJ1m9UQOEqFy.Jg3D8tmHdZUAAkcpGFRwkbbLfi' ; echo "Original Password is: " , $password ; echo "\n" ; echo "Hashed Password is: " , $hashed_password ; echo "\n" ; if (password_verify( $password , $hashed_password )) { echo 'Password is valid!' ; } else { echo 'Invalid password.' ; } ?> |
Original Password is: neveropen Hashed Password is: $2y$10$MQU3vDgoN10.JxyJ1m9UQOEqFy.Jg3D8tmHdZUAAkcpGFRwkbbLfi Password is valid!