Password hashing API to simplify creating and managing passwords in a way that they cannot be easily reversed. Replaces SHA1 and MD5 insecure hashing. Available natively with PHP 5.5.0+ or via an external compatibility package in PHP 5.3.7 and higher.
password_hash(), a php function, was born out of a need to easily secure passwords in a way that the hash would not easily be broken, should an attacker obtain a table containing hashed passwords.
While its underlying hashing algorithm was readily available through the PHP crypt() function, pulling together all the necessary pieces to make this function work was beyond most programmers. As a result, many new programmers would turn to the insecure sha1 and md5 hashing systems that have been around for a long time.
Password hash simply provides a wrapper for crypt(), using BCRYPT. The system generates a random salt by default (recommended) and returns a hash that contains the salt, the cost and the hashed password. Passing that string back into password_verify(), along with the plain-text password, will tell you if they match.
$pass = 'password';
$hash = password_hash($pass, PASSWORD_DEFAULT);
// $hash now contains a string that looks like
// $2y$10$WNxIiMP4o7EevZKNL01T4uwux1TvOhFRj31XVfG7lQV7HhVY5tsIK
$verify = password_verify($pass, $hash);
var_dump($verify); // bool(true)
Password Hash is native to PHP 5.5.0 or later, however, a compatible library exists for PHP 5.3.7 or later, that functions in the same way.
- Official PHP documentation
- PHP RFC proposal for password_hash()
- password_compat compatibility package for PHP 5.3.7+
