PHP Password Functions In 5.5

4th March 2014 - 6 minutes read time

New in PHP 5.5 is a group of functions that deal with password hashing and verification. This is such a common thing for PHP applications to do that it was decided to include it into the core of PHP. They effectively solve the problem of hashing and comparing passwords that just about every PHP developer has implemented at one point or another.

There are only a few functions available but they provide all of the functionality needed to create a hash value from a password, check if the hash is valid and to check if the password hash needs to be recreated.

To create a hash value from a password use the password_hash() function. The first parameter is the password string and the second value is the hashing algorithm to use. The value PASSWORD_DEFAULT here is a PHP constant that is currently set to the bcrypt algorithm and will be changed to better algorithms when and if they are found in newer versions of PHP.

$password = 'changeme';
$password_hash = password_hash($password, PASSWORD_DEFAULT);

You can force the password_hash() function to always use the bcrypt algorithm by using the PASSWORD_BCRYPT constant.

$password = 'changeme';
$password_hash = password_hash($password, PASSWORD_BCRYPT);

The password_hash() function also takes a third parameter of an array of options. This allows you to set a default salt and cost for the encryption algorithm. The 'salt' value allows you to enter a pre-determined salt for use when hashing the password, if this is omitted then a random salt is generated by the password_hash() function.

$password_hash = password_hash($password, PASSWORD_DEFAULT, array('salt' => 'sfyaisdyfiosydfsd6f896sd68f8asdftasdiutfisduft'));

The 'cost' parameter essentially describes the number of iterations that the hashing algorithm will run through, although it really represents a logarithmic iteration value. The default value is 10, which is a good baseline. Increasing this value will allow for a more secure hash, but will adversely effect the performance of the function.

$password_hash = password_hash($password, PASSWORD_DEFAULT, array('salt' => 'sfyaisdyfiosydfsd6f896sd68f8asdftasdiutfisduft', 'cost' => 12));

Once the hash has been created you can then verify that the password matches the hash value using the password_verify() function. The two parameters that this function takes are the password and the hashed password value.

$password = 'changeme';
$password_hash = password_hash($password, PASSWORD_DEFAULT);
if (password_verify($password, $password_hash))) {
  // password is valid
}

You can also check to see if the password hash needs to be redone with the password_needs_rehash() function. This will check a hashed password and return true if the hashed value was generated by a different hashing algorithm. This allows you to update your existing password hashes when a change to the algorithm has been made. If this returns true then you would rehash the password again in order to save it under the new algorithm.

$password = 'change me';
$password_hash = ''; // existing password hash
if (password_needs_rehash($password_hash, PASSWORD_DEFAULT)) {
  $password_hash = password_hash($password, PASSWORD_DEFAULT);
}

Because passwords created by password_hash() use the C crypt scheme you can also use password_verify() to check hashes from the crypt() function in the same way as you would from the password_hash() function.

$password = 'password';
$password_hash = crypt($password);
var_dump(password_verify($password, $password_hash));

If you are running a version of PHP less than 5.5 then there is a userland implementation of the password functions available. All you need to do is download the password.php file (in the lib directory) and include it in your application to start using these functions. You can also wrap it in an 'if' statement in order to detect the correct version of PHP and only include the password file if the version is less than 5.5. The upshot of this method is that you can be sure that your code will still work when up upgrade your PHP version to 5.5, and all you have to do is remove this single reference.

if (version_compare(phpversion(), '5.5', '<')) {
  require('password.php');
}
functions
PHP
passwords

Add new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
2 + 10 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

Related Content

Recreating Spotify Wrapped In PHP

17th March 2024

I quite like the end of the year report from Spotify that they call "Wrapped". This is a little application in which they tell you what your favorite artist was and what sort of genres you listened to the most during the year.

Read more

Should A Constructor Throw An Exception?

18th February 2024

Let's say you had a class that you wanted to use, but there was some sort of error in creating the object. This might be that the wrong parameters were passed, or the third party service (eg. a database) wasn't available at the time of creation.

Read more

PHP Question: Variable Reference

10th December 2023

Question

What does the following code print out?

function arrayPrint($array)
{
   echo implode(' ', $array);
}

$arrayA = [1, 2, 3];
$arrayB = $arrayA;
$arrayB[1] = 0;
arrayPrint($arrayA);

Read more

Creating An Authentication System With PHP and MariaDB

15th October 2023

Using frameworks to handle the authentication of your PHP application is perfectly fine to do, and normally encouraged. They abstract away all of the complexity of managing users and sessions that need to work in order to allow your application to function.

Read more

Creating Sparklines In PHP

17th September 2023

A sparkline is a very small line graph that is intended to convey some simple information, usually in terms of a numeric value over time. They tend to lack axes or other labels and are added to information readouts in order to expand on numbers in order to give them more context.

Read more