PHP secure password with password_hash() and verify with password_verify()
In this article, you will learn how to generate hash password using PHP password_hash() and store in database and retrieve the password from database and verify the user password in secure way using PHP password_verify() method. Password storage is very crucial parts. If an hacker is able to break into the database and steal the passwords table, the attacker could then access every client account.
In older articles, we had used MD5 and SH1 hashing to store passwords. These methods are old and not much secure as this can be easily cracked. In the latest versions of PHP, there is no need to encrypt or decrypt a password or use your own hashing algorithm. So in this article, we have used the password hashing techniques that was introduced in PHP >= 5.5.
password_hash()
The password_hash() method creates a new password hash using a one way strong hashing algorithm. It randomly generates a salt while hashing passwords. So, there is no need to create and store salt in a separate column. It is easiest and most secure approach.
Syntax
password_hash($password, $algorithm, $options)Parameters
$password - The password entered by the user.
$algorithm - This is the hashing algorithm. These are the following current hashing algorithm -
- PASSWORD_DEFAULT - This is the default hashing algorithm introduced in PHP 5.5. It returns the password hash more than 60 characters.
password_hash($password, PASSWORD_DEFAULT) - PASSWORD_BCRYPT - It is used to create a password hash using CRYPT_BLOWFISH algorithm. It returns 60 characters password hash identified with '$2y$'.
password_hash($password, PASSWORD_BCRYPT)
The third parameter of password_hash() contains optional parameter which is an associative array. The supported options of PASSWORD_BCRYPT are salt and cost.
Salt - We can provide manual salts.
Cost - Maximum algorithmic cost to be applied, the default value is 10.
$options = array( 'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM), 'cost' => 12, ); $password_hash = password_hash($password, PASSWORD_BCRYPT, $options); - PASSWORD_ARGON2I - It is introduced in PHP 7.2 and provides security against side channel attacks. We can use this algorithm only if PHP has been compiled with Argon2. Argon2 is a winner of the Password Hashing Competition in July 2015.
password_hash($password, PASSWORD_ARGON2I)
The third parameter of password_hash() contains optional parameter which is an associative array. The supported options of PASSWORD_ARGON2I are memory_cost, time_cost and threads.
Memory Cost - Maximum memory cost to be applied to generate the hash.
Time Cost - Maximum time to be taken to calculate the hash.
Threads - Number of threads to be used.
$options = [ 'memory_cost' => 2048 'time_cost' => 4, 'threads' => 3, ]; $password_hash = password_hash($password, PASSWORD_ARGON2I, $options); - PASSWORD_ARGON2ID - It is introduced in PHP 7.3. We can use this algorithm only if PHP has been compiled with Argon2.
password_hash($password, PASSWORD_ARGON2ID)
The supported options of PASSWORD_ARGON2ID are memory_cost, time_cost and threads.
$options = [ 'memory_cost' => 2048 'time_cost' => 4, 'threads' => 3, ]; password_hash($password, PASSWORD_ARGON2ID, $options)
Store password in the database
When the user register or sign up in your application, you can hash the entered password with one of the above password_hash() function and store the hashed password in the database.
Here, we have used the PASSWORD_BCRYPT hashing algorithm to hash the password and then used the mysqli database connection code to connect to the database and insert query to insert in the 'users' table. Please make sure to replace the database credentials with yours.
$username = $_POST['username'];
$password = $_POST['password'];
$hash = password_hash($password, PASSWORD_BCRYPT);
$conn = new mysqli('hostname', 'username', 'password', 'databasename');
//Check for connection error
if($conn->connect_error){
die("Error in DB connection: ".$conn->connect_errno." : ".$conn->connect_error);
}
$insert = "INSERT INTO `users` (`uid`, `username`, `password`) VALUES
(NULL, $username, $hash)";
if($conn->query($insert)){
echo 'Data inserted successfully';
}
else{
echo 'Error '.$conn->error;
}
password_verify()
PHP provides password_verify() function to match the given password with hash.
Syntax
password_verify($password, $hash)Parameters
$password - This is the user's password entered at login.
$hash - The password hash created using password_hash().
Match the user's password with hash password
When a user attempts to login in your application, we have used the password_verify() function to match the provided password with the stored hash password value.
$username = $_POST['username'];
$password = $_POST['password'];
$conn = new mysqli('hostname', 'username', 'password', 'databasename');
if($conn->connect_error){
die("Error in DB connection: ".$conn->connect_errno." : ".$conn->connect_error);
}
$select = "SELECT password FROM `users` WHERE username = '$username'";
$result = $conn->query($select);
while($row = $result->fetch_object()){
$hash = $row->password;
}
if(password_verify($password, $hash)) {
print "Login succeeds";
} else {
print "Login fails.";
}
In the above code, we have written the SELECT query to fetch the stored hash password of the provided username and matched with the user's entered password using the password_verify() function. This function returns TRUE, if both are same otherwise returns FALSE.
Related Articles
How to display PDF file in PHP from databaseHow to read CSV file in PHP and store in MySQL
Create And Download Word Document in PHP
PHP SplFileObject Standard Library
Simple File Upload Script in PHP
Sending form data to an email using PHP
Recover forgot password using PHP and MySQL
Php file based authentication
Simple PHP File Cache
How to get current directory, filename and code line number in PHP
