Servage Magazine

Information about YOUR hosting company – where we give you a clear picture of what we think and do!

Secure authentication and password-hashing in PHP

Tuesday, June 7th, 2016 by Servage

securityMany PHP frameworks come with built-in helper functions for dealing with passwords in a secure fashion. However, sometimes you may have to manually hash and verify passwords. In either case, it is a good idea to know how everything works behind the scenes and what are the latest and greatest ways of storing passwords securely in PHP 5.6 and 7.

Hashing a password

PHP 5.5 introduced a new password hashing API that uses a secure bcrypt key function. The bcrypt method is deemed safe and often considered among the best ways to hash passwords in 2016. PHP 5.5 and newer versions include a built-in function called password_hash() that you can use to hash passwords. To hash a password using the function, you call the function and pass in the plain-text password as the first argument. The second argument is the hashing algorithm, and it is required. As of PHP 5.6 and 7.0, there are two supported algorithms: PASSWORD_DEFAULT and PASSWORD_BCRYPT. These are constants so they are typed in full uppercase. You can use either of these, but keep in mind that the functionality of the default algorithm is subject to change as PHP is developed. If you want to stay safe from sudden changes to the algorithm, which may cause problems in your PHP applications, it is recommended to use bcrypt.

For example, you can use the following code to hash a password using bcrypt:

$hashedPassword = password_hash(‘plaintext-password’, PASSWORD_BCRYPT);

The above code will store the hashed password in the $hashedPassword variable. This is the value that you may want to store in a database in the password column.

Verifying a password

Hashing a password is a simple task, and so is verifying it. PHP includes a built-in function for verifying a password as well. The function is called password_verify() and it takes two arguments: a plain-text password just like password_hash() and the hashed version of the password produced by password_hash().

An example verification looks like this:

$passwordIsCorrect = password_verify(‘plaintext-password’, $hashedPassword);

The function returns true if a correct password is supplied and false if the password is wrong, so these two functions are all you need to safely hash and verify passwords in PHP 5.5 and newer versions.

Where is the salt?

You have surely been told it is always recommended to use a salt when hashing passwords. You may be wondering why the above functions don’t use a salt to secure the password. In fact, they do! The salt is included in the password hash itself. This is convenient because you do not need a separate column for the salt in your database: it is automatically extracted from the hash value. When you hash a password using the password_hash() function, you can provide your own salt in an options array as the third argument for the function. However, coming up with own custom solutions is a bad idea when it comes to cryptography. For this reason, using a custom salt is deprecated in PHP 7.

Secure authentication and password-hashing in PHP, 2.7 out of 5 based on 7 ratings
Categories: Guides & Tutorials

Keywords: ,

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

No comments yet (leave a comment)

You are welcome to initiate a conversation about this blog entry.

Leave a comment

You must be logged in to post a comment.