Password Hashing and Verification in PHP
Last Updated :
19 Jun, 2025
When Handling passwords securely in PHP the recommended approach is to use hashing. Instead of encrypting passwords, it is better to hash them because hashing is a one-way process, which means it can not be reversed. This makes it more secure.
Encryption on the other hand can be useful when you need to decrypt data. For this reason, hashing is the safer and preferred method for password storage in PHP. This uses the PHP Password API available in version 5.5.0 and above.
How to Hash a Password in PHP
To generate a hash from the string, we use the password_hash() function. This function uses strong hashing algorithms such as bcrypt and argon2 to securely generate a password hash.
Syntax:
string password_hash(string $password,
mixed $algo, [array $options])- The password_hash() function creates a new password hash of the string using one of the available hashing algorithm.
- It returns the hash that is currently 60 character long, however, as new and stronger algorithms will be added to PHP, the length of the hash may increase.
- It is therefore recommended to allocate 255 characters for the column that may be used to store the hash in database.
The following algorithms are currently supported when using this function:
- PASSWORD_DEFAULT
- PASSWORD_BCRYPT
- PASSWORD_ARGON2I
- PASSWORD_ARGON2ID
Example: The below example shows the method of using the password_hash() method:
php
<?php
// The plain text password to be hashed
$plaintext_password = "Password@123";
// The hash of the password that
// can be stored in the database
$hash = password_hash($plaintext_password,
PASSWORD_DEFAULT);
// Print the generated hash
echo "Generated hash: ".$hash;
?>
Output:
Generated hash: $2y$10$7rLSvRVyTQORapkDOqmkhetjF6H9lJHngr4hJMSM2lHObJbW5EQh6
How to Verify a Password
Once a password is hashed and stored, you cannot retrieve the original password. To decrypt a password hash and retrieve the original string, we use the password_verify() function. This function checks if the provided plaintext password matches the stored hashed password.
Syntax:
bool password_verify(string $password, string $hash)
The password_verify() function verifies that the given hash matches the given password, generated by the password_hash() function. It returns true if the password and hash match, or false otherwise.
Example: The below example shows how to verify a user's password against the stored hash:
php
<?php
// Plaintext password entered by the user
$plaintext_password = "Password@123";
// The hashed password retrieved from database
$hash =
"$2y$10$8sA2N5Sx/1zMQv2yrTDAaOFlbGWECrrgB68axL.hBb78NhQdyAqWm";
// Verify the hash against the password entered
$verify = password_verify($plaintext_password, $hash);
// Print the result depending if they match
if ($verify) {
echo 'Password Verified!';
} else {
echo 'Incorrect Password!';
}
?>
Output:
Password Verified!
Important to Remember
- Choosing the Right Algorithm: Use
PASSWORD_DEFAULT (bcrypt) for balanced security and performance. Consider argon2 for stronger security in newer PHP versions. - Storing the Hash: Allocate atleast 255 characters in your database to store password hashes because hash length may vary with different algorithms.
- Salting:
password_hash() automatically generates and includes the salt in the hash, so no need for manual salting.
Conclusion
When dealing with passwords in PHP we use password_hash() function to ensure that passwords are stored securely and correctly. Always verify passwords with password_verify() to authenticate users while maintaining security. Never store plaintext passwords, try to always hash them.
Similar Reads
How to Secure hash and salt for PHP passwords ? Salting and hashing is a technique to store the password in a database. In cryptography, salting means to add some content along with the password and then hashing it. So salt and hash provide two levels of security. Salting always makes unique passwords i.e if there are two same passwords, after sa
2 min read
How to use bcrypt for hashing passwords in PHP? Everyone knows and understands that storing the password in a clear text in the database is a quite rude thing and not secure. Yet, several do it because it makes an internet site quite easy for password recovery or testing. The bcrypt is a password hashing technique used to build password security.
2 min read
Generating OTP (One time Password) in PHP Now these days, OTP (one time password) is mandatory in almost each and every service. A developer can generate OTP in many ways but the challenge is not to be predictive as any one can predict the OTP and can exploit the service. Some of popular format of OTPs are: 4 or 6 digit Numeric OTP. 4 or 6
2 min read
How to Validate Password using Regular Expressions in PHP ? Password validation is a crucial part of web application security. Regular expressions provide a powerful tool to define complex patterns. This article will guide you through various approaches to validate passwords using regular expressions in PHP. Approach 1: Basic Password ValidationIn this case,
1 min read
How to Create MD5 Hashes in PHP ? MD5 is a widely used hash function that produces a fixed-size 128-bit hash value from arbitrary input data. In PHP, creating MD5 hashes is a common task, often used for password hashing, data integrity verification, or generating unique identifiers. In this article, we'll explore different approache
1 min read
How to generate simple random password from a given string using PHP ? In this article, we will see how to generate a random password using the given string. We have given a string and the task is to generate a random password from it. Example: Input: abgADKL123 Output: abgADKL123 Input: geeksforgeeks Output: egksegsfroeke To achieve this, we use the following approach
3 min read