php

PHP password_hash() Function

3 years ago
by Fahmida Yesmin
The user’s password of any application is very important to keep the application safe from different attacks. Many ways exist in PHP to generate a secure password to make the application more secure. The password_hash() function is one way to create a new password hash using the one-way hashing algorithm. The syntax of this function is given below.

Syntax:

string|false password_hash(string $password, string|int|null $algo [, array $options = []])

The first argument is mandatory, and it is used to take the string value that will be hashed.

The second argument is mandatory, and it is used to take the integer or string that refers to an algorithm, which will be used to create the password hash. This function currently supports the following algorithms.

PASSWORD_DEFAULT:

It uses the BCRYPT algorithm to generate the password hash.

PASSWORD_BCRYPT:

It uses the CRYPT_BLOWFISH algorithm to generate the password hash.

PASSWORD_ARGON2I:

It uses the Argon2i hashing algorithm to generate the password hash, and it can be used if PHP has been compiled with Argon2 support.

PASSWORD_ARGON2ID:

It uses the Argon2id hashing algorithm to generate the password hash, and it can be used if PHP has been compiled with Argon2 support.

The third argument is optional, and it is used to define an array that contains the supported options of the used algorithm.

The following options are supported by the PASSWORD_BCRYPT algorithm.

salt:

This option is deprecated now. The salt value that is generated by default is better to use.

cost:

It is used to define the algorithm cost that should be used. The default value is 10.

The following options are supported by the PASSWORD_ARGON2I and PASSWORD_ARGON2ID algorithms.

memory_cost:

It is used to define the maximum memory in KB that can be used to generate the password hash by using the Argon2 hash.

time_cost:

It is used to define the maximum amount of time that can be used to generate the password hash by using the Argon2 hash.

threads:

It is used to define the number of threads to generate the password hash using the Argon2 hash.

The function returns hashed password on success or False on failure.

password_hash() Function Examples

The uses of the password_hash() function to create hashed passwords have been in the next part of the tutorial.

Example-1: Create a Hashed Password Using the Default Hash Algorithm

Create a PHP file with the following script that will generate a hashed value of a password by using the password_hash() function, and the default hashing algorithm has been used here. The original and hashed password strings will be printed as the script’s output.

<?php

//Set the password value

$password = 'secretpassword';

//Generate the hashed password based on the default algorithm

$hashed_password = password_hash($password, PASSWORD_DEFAULT);

//Print the original and hashed password

echo "The original password: <b>$password</b>";

echo "<br/>The hashed password using default algorithm: <b>$hashed_password</b>";

?>

Output:

The following output will appear after executing the above script.

Example-2: Create Hashed Password Using Cost Value and PASSWORD_BCRYPT Algorithm

Create a PHP file with the following script that will generate a hashed value of a password by using password_hash() function. The PASSWORD_BCRYPT algorithm and the cost value have been used in the password_hash() function to generated the hashed password. Both the original and hashed password string will be printed as the output of the script.

<?php

//Set the password value

$password = 'secretpassword';

//Set the cost value for PASSWORD_BCRYPT algorithm

$option = [ "cost" => 5 ];

//Generate the hashed password based on the default algorithm

$hashed_password = password_hash($password, PASSWORD_BCRYPT, $option);

//Print the original and hashed password

echo "The original password: <b>$password</b>";

echo "<br/>The hashed password using PASSWORD_BCRYPT: <b>$hashed_password</b>";

?>

Output:

The following output will appear after executing the above script.

Example-3: Create a Hashed Password Using the PASSWORD_ARGON2I Algorithm

Create a PHP file with the following script that will generate a hashed value of a password by using the password_hash() function. The PASSWORD_ARGON2I algorithm has been used in the password_hash() function to generate the hashed password. The original and hashed password strings will be printed as the script’s output.

<?php

//Set the password value

$password = 'secretpassword';

//Generate the hashed password based on the default algorithm

$hashed_password = password_hash($password, PASSWORD_ARGON2I);

//Print the original and hashed password

echo "The original password: <b>$password</b>";

echo "<br/>The hashed password using PASSWORD_ARGON2I: <b>$hashed_password</b>";

?>

Output:

The following output will appear after executing the above script.

Example-4: Using password_hash() Function With password_verify() Function

Create a PHP file with the following script to verify the hashed password by using the password_verify() function after generating the hashed password from a string data using the password_hash() function. The password will be taken from the URL parameter and checked whether the password is valid by using the password value and hashed password values in the arguments of the password_verify() function. If this function will return true, then the password is valid; otherwise, the password is invalid.

<?php

//Set the password value

$password = 'secretpassword';

//Generate the hashed password based on default algorithm

$hashed_password = password_hash($password, PASSWORD_DEFAULT);

if(isset($_GET['password']))

{

//Assign the password given from the URL

$v_password = $_GET['password'];

//Check the password validity by using password_verify() function

if(password_verify($v_password, $hashed_password))

echo 'Password is valid.';

else

echo 'Password is invalid.';

}

else

echo "Password is not given.";

?>

Output:

After executing the above script without the URL parameter, the following output will appear.

http://localhost/php/pass4.php

The following output will appear after executing the above script with the URL parameter value, ‘secretpassword’, and the hashed password was generated for this value in the script. So, the password is valid.

http://localhost/php/pass4.php?password=secretpassword

The following output will appear after executing the above script with the URL parameter value, ‘secret’ invalid.

http://localhost/php/pass4.php?password=secret

Conclusion

Different ways of creating a hashed password by using the password_hash() function have been shown in the examples of this tutorial to help the PHP users to apply this function properly in their script.

About the author

Fahmida Yesmin

I am a trainer of web programming courses. I like to write article or tutorial on various IT topics. I have a YouTube channel where many types of tutorials based on Ubuntu, Windows, Word, Excel, WordPress, Magento, Laravel etc. are published: Tutorials4u Help.

View all posts