How to properly hash a string for a password in PHP
Jul 10, 2025 pm 12:58 PM
To properly hash passwords in PHP, use password_hash() with PASSWORD_DEFAULT because it automatically handles salting and uses a secure algorithm like bcrypt. Always store the result in a column of at least 255 characters. 1. Avoid setting a fixed cost unless necessary; default settings are usually sufficient. 2. Adjust cost only after performance testing to balance security and speed. 3. Use password_verify() to check passwords during login, which is secure against timing attacks. 4. Use password_needs_rehash() to update hashes when settings change. 5. Remember that hashing is one-way and not encryption; never attempt to reverse it. Implement password reset mechanisms instead of recovery.
Hashing a password properly in PHP isn’t just about using the right function — it's about understanding why you're doing what you're doing. The goal is to securely store passwords so even if your database gets exposed, the actual passwords aren't easily recoverable.
Use password_hash() with PASSWORD_DEFAULT
PHP has a built-in function called password_hash() that handles everything you need for secure password hashing. It automatically generates a salt (which you don’t have to worry about), uses a strong algorithm, and returns a hashed string ready for storage.
Here’s how you use it:
$hashedPassword = password_hash($plainTextPassword, PASSWORD_DEFAULT);
$plainTextPasswordis the user's password they provided during registration or login.PASSWORD_DEFAULTtells PHP to use the current secure default algorithm, which as of now is bcrypt, but may change in future versions — and that’s a good thing because it means your code stays up-to-date without requiring changes.
You should always store the result in a database column that’s at least 255 characters long since future algorithms might produce longer hashes.
Don’t Set a Fixed Cost Unless Necessary
By default, password_hash() uses reasonable cost settings (like cost=10 for bcrypt). You can override this by passing options:
$options = [
'cost' => 12,
];
$hashedPassword = password_hash($password, PASSWORD_DEFAULT, $options);But unless you know what you're doing and have tested performance on your server:
- Don’t increase the cost too much — it will slow down your app.
- Don’t hardcode values unnecessarily.
Too high of a cost can cause noticeable delays during login or registration. Too low, and it becomes easier for attackers to brute-force hashes.
Some things to consider:
- Start with the defaults.
- Test performance under load.
- Only adjust if needed for security vs speed balance.
Always Verify Using password_verify()
When a user logs in, you need to check their input against the stored hash. That’s where password_verify() comes in:
if (password_verify($userInput, $storedHash)) {
// Password is correct
} else {
// Invalid credentials
}This function is safe against timing attacks and works regardless of the algorithm used when the password was originally hashed.
One important note:
If you ever update the hashing algorithm or cost setting, existing hashes still work. But you should rehash them next time the user logs in. You can check if rehashing is needed like this:
if (password_needs_rehash($storedHash, PASSWORD_DEFAULT, $options)) {
$storedHash = password_hash($password, PASSWORD_DEFAULT, $options);
// Save the new hash back to the database
}Hashing Isn't Encryption
A final point that often gets confused: hashing is not encryption.
- Hashing is one-way — you can’t reverse it to get the original password.
- Encryption is two-way — data can be decrypted back to its original form.
So never try to "decrypt" a password. If a user forgets theirs, provide a reset mechanism, not a recovery one.
That’s really all you need for secure password handling in PHP. No need to write your own hashing logic, add extra salts manually, or use outdated methods like md5() or sha1(). Just stick to the built-in functions and keep it simple.
The above is the detailed content of How to properly hash a string for a password in PHP. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to get the current session ID in PHP?
Jul 13, 2025 am 03:02 AM
The method to get the current session ID in PHP is to use the session_id() function, but you must call session_start() to successfully obtain it. 1. Call session_start() to start the session; 2. Use session_id() to read the session ID and output a string similar to abc123def456ghi789; 3. If the return is empty, check whether session_start() is missing, whether the user accesses for the first time, or whether the session is destroyed; 4. The session ID can be used for logging, security verification and cross-request communication, but security needs to be paid attention to. Make sure that the session is correctly enabled and the ID can be obtained successfully.
PHP get substring from a string
Jul 13, 2025 am 02:59 AM
To extract substrings from PHP strings, you can use the substr() function, which is syntax substr(string$string,int$start,?int$length=null), and if the length is not specified, it will be intercepted to the end; when processing multi-byte characters such as Chinese, you should use the mb_substr() function to avoid garbled code; if you need to intercept the string according to a specific separator, you can use exploit() or combine strpos() and substr() to implement it, such as extracting file name extensions or domain names.
How to split a string into an array in PHP
Jul 13, 2025 am 02:59 AM
In PHP, the most common method is to split the string into an array using the exploit() function. This function divides the string into multiple parts through the specified delimiter and returns an array. The syntax is exploit(separator, string, limit), where separator is the separator, string is the original string, and limit is an optional parameter to control the maximum number of segments. For example $str="apple,banana,orange";$arr=explode(",",$str); The result is ["apple","bana
Using std::chrono in C
Jul 15, 2025 am 01:30 AM
std::chrono is used in C to process time, including obtaining the current time, measuring execution time, operation time point and duration, and formatting analysis time. 1. Use std::chrono::system_clock::now() to obtain the current time, which can be converted into a readable string, but the system clock may not be monotonous; 2. Use std::chrono::steady_clock to measure the execution time to ensure monotony, and convert it into milliseconds, seconds and other units through duration_cast; 3. Time point (time_point) and duration (duration) can be interoperable, but attention should be paid to unit compatibility and clock epoch (epoch)
How does PHP handle Environment Variables?
Jul 14, 2025 am 03:01 AM
ToaccessenvironmentvariablesinPHP,usegetenv()orthe$_ENVsuperglobal.1.getenv('VAR_NAME')retrievesaspecificvariable.2.$_ENV['VAR_NAME']accessesvariablesifvariables_orderinphp.iniincludes"E".SetvariablesviaCLIwithVAR=valuephpscript.php,inApach
Why We Comment: A PHP Guide
Jul 15, 2025 am 02:48 AM
PHPhasthreecommentstyles://,#forsingle-lineand/.../formulti-line.Usecommentstoexplainwhycodeexists,notwhatitdoes.MarkTODO/FIXMEitemsanddisablecodetemporarilyduringdebugging.Avoidover-commentingsimplelogic.Writeconcise,grammaticallycorrectcommentsandu
PHP header redirect not working
Jul 14, 2025 am 01:59 AM
Reasons and solutions for the header function jump failure: 1. There is output before the header, and all pre-outputs need to be checked and removed or ob_start() buffer is used; 2. The failure to add exit causes subsequent code interference, and exit or die should be added immediately after the jump; 3. The path error should be used to ensure correctness by using absolute paths or dynamic splicing; 4. Server configuration or cache interference can be tried to clear the cache or replace the environment test.
PHP prepared statement get result
Jul 14, 2025 am 02:12 AM
The method of using preprocessing statements to obtain database query results in PHP varies from extension. 1. When using mysqli, you can obtain the associative array through get_result() and fetch_assoc(), which is suitable for modern environments; 2. You can also use bind_result() to bind variables, which is suitable for situations where there are few fields and fixed structures, and it is good compatibility but there are many fields when there are many fields; 3. When using PDO, you can obtain the associative array through fetch (PDO::FETCH_ASSOC), or use fetchAll() to obtain all data at once, so the interface is unified and the error handling is clearer; in addition, you need to pay attention to parameter type matching, execution of execute(), timely release of resources and enable error reports.
