PHP

Secure Password Hashing with Bcrypt in PHP

Learn to securely hash and verify user passwords in PHP using the robust `password_hash()` and `password_verify()` functions with the Bcrypt algorithm, enhancing your application's security.

<?php

/**
 * Hashes a plain-text password using the Bcrypt algorithm.
 * Always use a strong, unique salt per password (handled by password_hash automatically).
 *
 * @param string $plainTextPassword The password to hash.
 * @return string The hashed password.
 */
function hashPassword(string $plainTextPassword): string
{
    // PASSWORD_BCRYPT is the recommended algorithm.
    // PASSWORD_DEFAULT constantly updates to the latest strong algorithm.
    // Cost factor can be adjusted (default is 10). Higher cost means slower hashing, but more secure.
    $options = [
        'cost' => 12, // Adjust cost as needed; higher is more secure but slower.
    ];
    return password_hash($plainTextPassword, PASSWORD_BCRYPT, $options);
}

/**
 * Verifies a plain-text password against a hashed password.
 *
 * @param string $plainTextPassword The password provided by the user.
 * @param string $hashedPassword The hashed password stored in the database.
 * @return bool True if the passwords match, false otherwise.
 */
function verifyPassword(string $plainTextPassword, string $hashedPassword): bool
{
    return password_verify($plainTextPassword, $hashedPassword);
}

// --- Usage Example ---
$userPassword = 'mySecretPassword123!';

// 1. Hash the password (e.g., during user registration)
$hashedPwd = hashPassword($userPassword);
echo "Hashed Password: " . $hashedPwd . "
";

// In a real application, $hashedPwd would be stored in a database.

// 2. Verify the password (e.g., during user login)
$loginAttemptPassword = 'mySecretPassword123!'; // User input

if (verifyPassword($loginAttemptPassword, $hashedPwd)) {
    echo "Password verification successful! User logged in.
";
} else {
    echo "Password verification failed! Invalid credentials.
";
}

// Test with an incorrect password
$incorrectPassword = 'wrongPassword';
if (verifyPassword($incorrectPassword, $hashedPwd)) {
    echo "This should not happen: Incorrect password verified.
";
} else {
    echo "Correctly failed to verify incorrect password.
";
}

// It's also good practice to rehash if the cost needs updating
if (password_needs_rehash($hashedPwd, PASSWORD_BCRYPT, ['cost' => 12])) {
    $newHashedPwd = hashPassword($userPassword); // Rehash with updated cost
    echo "Password rehashed with updated cost: " . $newHashedPwd . "
";
    // Update the stored hash in the database
}

?>
How it works: This PHP snippet demonstrates the secure way to handle user passwords using PHP's built-in `password_hash()` and `password_verify()` functions. `password_hash()` automatically generates a cryptographically secure salt and hashes the password using the specified algorithm (Bcrypt is recommended). The `password_verify()` function then safely compares a plain-text password with its hashed version, preventing common attacks like rainbow table lookups. The `cost` parameter allows tuning the hashing difficulty, making brute-force attacks computationally expensive.

Need help integrating this into your project?

Our team of expert developers can help you build your custom application from scratch.

Hire DigitalCodeLabs