Hash Passwords Securely Using password_hash() in PHP
Store user passwords safely using modern hashing techniques in PHP for secure authentication systems.
๐ Why Hash Passwords?
Plain text passwords are a major security risk. If your database is
compromised, every user's credentials are exposed. PHP provides a modern,
simple, and secure way to hash passwords using the
password_hash() function.
๐ How to Use password_hash()
The password_hash() function creates a secure hash using the
bcrypt or Argon2 algorithm depending on PHP version and options.
<?php
$password = 'mySecurePassword123';
$hash = password_hash($password, PASSWORD_DEFAULT);
echo $hash;
?>
This generates a string like $2y$10$RANDOMSTRING... which
includes salt and algorithm metadata.
โ
Verifying Passwords with password_verify()
Use password_verify() to safely compare a plain password with a
hashed one from the database:
<?php
$entered = 'mySecurePassword123';
$storedHash = '$2y$10$ABC...'; // From DB
if (password_verify($entered, $storedHash)) {
echo 'Password is valid!';
} else {
echo 'Invalid credentials.';
}
?>๐ Should You Rehash Passwords?
If you update your algorithm (e.g., to use Argon2), use
password_needs_rehash() to detect old hashes:
<?php
$options = ['cost' => 12];
if (password_needs_rehash($storedHash, PASSWORD_DEFAULT, $options)) {
$newHash = password_hash($entered, PASSWORD_DEFAULT, $options);
// Update DB
}
?>๐ก Best Practices
- Never store plain text passwords
- Always hash on registration and rehash on login if needed
-
Use
PASSWORD_DEFAULTunless you have specific requirements - Enforce strong password policies (min length, symbols)
๐งพ Summary
Use password_hash() to store passwords and
password_verify() to validate them. Always rehash if your
hashing strategy changes and avoid manual salting or custom hash functions ,
PHP does it all securely under the hood.