PHP
Secure Password Hashing with Bcrypt in PHP
Learn to securely hash and verify user passwords in PHP using the robust `password_hash()` and `password_verify()` functions with the Bcrypt algorithm, enhancing your application's security.
<?php
/**
* Hashes a plain-text password using the Bcrypt algorithm.
* Always use a strong, unique salt per password (handled by password_hash automatically).
*
* @param string $plainTextPassword The password to hash.
* @return string The hashed password.
*/
function hashPassword(string $plainTextPassword): string
{
// PASSWORD_BCRYPT is the recommended algorithm.
// PASSWORD_DEFAULT constantly updates to the latest strong algorithm.
// Cost factor can be adjusted (default is 10). Higher cost means slower hashing, but more secure.
$options = [
'cost' => 12, // Adjust cost as needed; higher is more secure but slower.
];
return password_hash($plainTextPassword, PASSWORD_BCRYPT, $options);
}
/**
* Verifies a plain-text password against a hashed password.
*
* @param string $plainTextPassword The password provided by the user.
* @param string $hashedPassword The hashed password stored in the database.
* @return bool True if the passwords match, false otherwise.
*/
function verifyPassword(string $plainTextPassword, string $hashedPassword): bool
{
return password_verify($plainTextPassword, $hashedPassword);
}
// --- Usage Example ---
$userPassword = 'mySecretPassword123!';
// 1. Hash the password (e.g., during user registration)
$hashedPwd = hashPassword($userPassword);
echo "Hashed Password: " . $hashedPwd . "
";
// In a real application, $hashedPwd would be stored in a database.
// 2. Verify the password (e.g., during user login)
$loginAttemptPassword = 'mySecretPassword123!'; // User input
if (verifyPassword($loginAttemptPassword, $hashedPwd)) {
echo "Password verification successful! User logged in.
";
} else {
echo "Password verification failed! Invalid credentials.
";
}
// Test with an incorrect password
$incorrectPassword = 'wrongPassword';
if (verifyPassword($incorrectPassword, $hashedPwd)) {
echo "This should not happen: Incorrect password verified.
";
} else {
echo "Correctly failed to verify incorrect password.
";
}
// It's also good practice to rehash if the cost needs updating
if (password_needs_rehash($hashedPwd, PASSWORD_BCRYPT, ['cost' => 12])) {
$newHashedPwd = hashPassword($userPassword); // Rehash with updated cost
echo "Password rehashed with updated cost: " . $newHashedPwd . "
";
// Update the stored hash in the database
}
?>
How it works: This PHP snippet demonstrates the secure way to handle user passwords using PHP's built-in `password_hash()` and `password_verify()` functions. `password_hash()` automatically generates a cryptographically secure salt and hashes the password using the specified algorithm (Bcrypt is recommended). The `password_verify()` function then safely compares a plain-text password with its hashed version, preventing common attacks like rainbow table lookups. The `cost` parameter allows tuning the hashing difficulty, making brute-force attacks computationally expensive.