DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations
Building Scalable Real-Time Apps with AstraDB and Vaadin
Register Now

Trending

  • Tomorrow’s Cloud Today: Unpacking the Future of Cloud Computing
  • Transactional Outbox Patterns Step by Step With Spring and Kotlin
  • Never Use Credentials in a CI/CD Pipeline Again
  • Scaling Site Reliability Engineering (SRE) Teams the Right Way

Trending

  • Tomorrow’s Cloud Today: Unpacking the Future of Cloud Computing
  • Transactional Outbox Patterns Step by Step With Spring and Kotlin
  • Never Use Credentials in a CI/CD Pipeline Again
  • Scaling Site Reliability Engineering (SRE) Teams the Right Way
  1. DZone
  2. Data Engineering
  3. Data
  4. Hash Passwords with PHP 5.5

Hash Passwords with PHP 5.5

Paul Underwood user avatar by
Paul Underwood
·
Aug. 07, 13 · Interview
Like (0)
Save
Tweet
Share
3.97K Views

Join the DZone community and get the full member experience.

Join For Free

Almost every PHP developer has had to build an application that relies on a user login. This will involve the user of the website having a username and password that are stored in the database so he or she can log in to your website.

As passwords are stored in the database, it is important that you hash these passwords before you store them in the database. A password hash is a one-way encryption of a string, so you won't be able to decrypt this to find out what the password is.

You should never store a password in the database without hashing it first, if a third party gets access to your database, it will be able to get hold of all the passwords or your users. Some users will use the same password for all their accounts, including email, so it is important that you protect your users by hashing the passwords.

Password hashing is a one-way encryption so that when you are comparing the string with the password entered by the user you will need to hash the password they entered and compare this string with the hashed password; if they match then the password is correct.

Ways Of Hashing Passwords

A while ago, it was common to find people hashing passwords by using these functions.

  • md5()
  • sha1()
  • hash()

But these functions are not recommended to use when you are hashing passwords. This is because of the way these functions work. You can easily create a script to use brute force on this function to return a string that matches another md5() string. When using these functions, it doesn't matter how many times you pass a string into this function, it will also return the same hashed password. So, if two users have the same password and one user's password gets hacked, then the other user's password is too.

These functions are fine to use for other hashing but it is not recommended for passwords.

Instead of using these functions, you should be using crypt() or the hash() function. The complexity of these functions means that they are slower to run than the other md5() and sha1() functions. This means that the output from a brute force attack will take much longer to run than using the md5() function.

Another benefit of using the crypt() function is that you can pass a second parameter of a salt. A salt is an encrypted string that is added to the password during hashing; it is a way of adding additional data to the string that will make the hash harder to crack.

Password Hashing Using 5.5

In PHP version 5.5, password hashing functions were introduced into the core, giving you access to four functions to use when hashing passwords and verifying a password.

  • password_get_info — Returns information about the given hash.
  • password_hash — Creates a password hash.
  • password_needs_rehash — Checks if the given hash matches the given options.
  • password_verify — Verifies that a password matches a hash.

The two important functions to understand are the password_hash() and the password_verify().

Password_hash Function

The password_hash function will create the hashed password from a string. It takes three parameters: The first is the string to hash, second is the algorithm you want to use to hash the password and the third are additional options like salt to pass into the function.

$options = [
    'cost' => 11,
    'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
];
$hashed_password = password_hash( $string, PASSWORD_DEFAULT, $options );

The default hashing algorithm password_hash uses is currently bcrypt (note that this could change in the future as newer encryption algorithms are added into PHP).

The third parameter allows you to add a salt to the password; if one is not provided, then PHP will generate a random salt to use for each password generated. It is actually recommended to not generate a salt for this function but allow PHP to generate the salt for you.

Password Hash

Password_verify Function

This function is used to make sure that the string password and the string hashed password match and will return a Boolean TRUE if the passwords match.

$matched = password_verify( $password, $hashed_password );

Using just these two functions you can now easily create a user login section that generates secure passwords you can store in the database and match when the user logs in.

Password Verify

PHP Strings Data Types

Published at DZone with permission of Paul Underwood, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Trending

  • Tomorrow’s Cloud Today: Unpacking the Future of Cloud Computing
  • Transactional Outbox Patterns Step by Step With Spring and Kotlin
  • Never Use Credentials in a CI/CD Pipeline Again
  • Scaling Site Reliability Engineering (SRE) Teams the Right Way
Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com

Let's be friends: