Questions And Answers

More Tutorials

PHP Password Hashing Functions

As more secure web services avoid storing passwords in plain text format, languages such as PHP provide various (undecryptable) hash functions to support the more secure industry standard. This topic provides documentation for proper hashing with PHP.

Creating a password hash

Create password hashes using password_hash() to use the current industry best-practice standard hash or key derivation. At time of writing, the standard is bcrypt, which means, that PASSWORD_DEFAULT contains the same value as PASSWORD_BCRYPT.
$options = [
 'cost' => 12,
$hashedPassword = password_hash($plaintextPassword, PASSWORD_DEFAULT, $options);

The third parameter is not mandatory.

The 'cost' value should be chosen based on your production server's hardware. Increasing it will make the password more costly to generate. The costlier it is to generate the longer it will take anyone trying to crack it to generate it also. The cost should ideally be as high as possible, but in practice it should be set so it does not slow down everything too much. Somewhere between 0.1 and 0.4 seconds would be okay. Use the default value if you
are in doubt.

Version < 5.5

On PHP lower than 5.5.0 the password_* functions are not available. You should use the compatibility pack to substitute those functions. Notice the compatibility pack requires PHP 5.3.7 or higher or a version that has the $2y fix backported into it (such as RedHat provides).

If you are not able to use those, you can implement password hashing with crypt() As password_hash() is implemented as a wrapper around the crypt() function, you need not lose any functionality.

// this is a simple implementation of a bcrypt hash otherwise compatible
// with `password_hash()`
// not guaranteed to maintain the same cryptographic strength of the full `password_hash()`
// implementation
// if `CRYPT_BLOWFISH` is 1, that means bcrypt (which uses blowfish) is available
// on your system
if (CRYPT_BLOWFISH == 1) {
 $salt = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
 $salt = base64_encode($salt);
 // crypt uses a modified base64 variant
 $source = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
 $dest = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
 $salt = strtr(rtrim($salt, '='), $source, $dest);
 $salt = substr($salt, 0, 22);
 // `crypt()` determines which hashing algorithm to use by the form of the salt string
 // that is passed in
 $hashedPassword = crypt($plaintextPassword, '$2y$10$'.$salt.'$');

Salt for password hash

Despite of reliability of crypt algorithm there is still vulnerability against rainbow tables. That's the reason, why it's recommended to use salt.
A salt is something that is appended to the password before hashing to make source string unique. Given two identical passwords, the resulting hashes will be also unique, because their salts are unique.

A random salt is one of the most important pieces of your password security. This means that even with a lookup table of known password hashes an attacker can’t match up your user’s password hash with the database password hashes since a random salt has been used. You should use always random and cryptographically secure salts.

With password_hash() bcrypt algorithm, plain text salt is stored along with the resulting hash, which means that the hash can be transferred across different systems and platforms and still be matched against the original password.

Version < 7.0

Even when this is discouraged, you can use the salt option to define your own random salt.

$options = [
 'salt' => $salt, //see example below

Important. If you omit this option, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation.
Version ≥ 7.0
The salt option has been deprecated as of PHP 7.0.0. It is now preferred to simply use the salt that is generated by default.


In this page (written and validated by ) you learned about PHP Password Hashing Functions . What's Next? If you are interested in completing PHP tutorial, your next topic will be learning about: PHP Verifying a password against a hash.

Incorrect info or code snippet? We take very seriously the accuracy of the information provided on our website. We also make sure to test all snippets and examples provided for each section. If you find any incorrect information, please send us an email about the issue:

Share On:

Mockstacks was launched to help beginners learn programming languages; the site is optimized with no Ads as, Ads might slow down the performance. We also don't track any personal information; we also don't collect any kind of data unless the user provided us a corrected information. Almost all examples have been tested. Tutorials, references, and examples are constantly reviewed to avoid errors, but we cannot warrant full correctness of all content. By using, you agree to have read and accepted our terms of use, cookies and privacy policy.