Quick Tip: How to Hash a Password in PHP

Detailed explanation and best practices for PHP password hashing

In any programming language, it is crucial to understand how to hash a password. This article will quickly explain how to implement password hashing in PHP and explain its importance.

Every PHP programmer will write applications that rely on user login to run properly at some stage. Usernames and passwords are usually stored in a database and then used for authentication. As we all know, passwords must never be stored in a database in plain text: if the database is compromised, all passwords will be exploited by malicious attackers. This is why we need to learn how to hash the password.

Note that we are using the word "hash" instead of "encryption". This is because hashing and encryption are two completely different processes that are often confused.

Hash

hash function takes a string (such as mypassword123) and converts it into an encrypted version of the string, called a hash value. For example, the hash of mypassword123 might be a seemingly random number and letter string, such as 9c87baa223f464954940f859bcf2e233. Hash is a one-way function. Once you have something, you get a fixed length string—a process that is hard to reverse.

We can compare two hash values ​​to check if they both come from the same original string. Later in this article, we will see how to implement this process using PHP.

Encryption

Similar to a hash, encryption takes an input string and converts it into a seemingly random number and alphabetical string. However, encryption is a reversible process—if you know the encryption key. Because it is a reversible process, it is not suitable for passwords, but is ideal for aspects such as point-to-point secure messaging.

If we encrypt the password instead of hashing, and the database we are using is accessed by a malicious third party in some way, then all user accounts will be threatened - this is obviously not a good scenario.

Add salt

The password should also be "salted" before hashing. "Salt" is an operation that adds a random string to the password before hashing.

By adding salt to the password, we can prevent dictionary attacks (the attacker systematically enters each word in the dictionary as a password) and rainbow table attacks (the attacker uses a list of common password hashs).

In addition to adding salt, we should also use a relatively safe algorithm when hashing. This means it should be an algorithm that has not been cracked yet, preferably a specialized algorithm rather than a general one (such as SHA512).

As of 2023, the recommended hash algorithm is:

• Argon2
• Scrypt
• bcrypt
• PBKDF2

Hash processing in PHP

Hash processing in PHP has become very easy since the introduction of the password_hash() function in PHP 5.5.

Currently, it uses bcrypt by default and supports other hashing algorithms such as Argon2. The password_hash() function will also automatically add salt to our password.

End, it returns the hashed password. "Cost" and "Salt" are returned as part of the hash.

Simply put, the cost in a password hash refers to the amount of computation required to generate a hash. It's like measuring the "difficulty" of creating a hash. The higher the cost, the greater the difficulty.

Imagine you want to make a cake and the recipe for that cake says "beat the egg for five minutes." That's the "cost" of making that cake. If you want to make the cake more "safe", you might change the recipe to "beat the egg for ten minutes." It takes longer to make a cake now, which is like adding the “cost” of making a cake.

As we read in the password_hash() document:

…All information required to verify the hash is included. This allows the password_verify() function to verify the hash without the need to store salt or algorithm information separately.

This ensures that we do not have to store other information in the database to verify the hash value.

In fact, it looks like this:

<?php
$password = "sitepoint";

$hashed_password = password_hash($password, PASSWORD_DEFAULT);

if (password_verify($password, $hashed_password)) {
    //如果输入的密码与哈希密码匹配，则登录成功
} else {
    //重定向到主页
}

For more information about password_hash() functions, please visit here, and for information about password_verify() functions, please visit here.

Conclusion

For PHP programmers, it is important to understand the difference between hashing and encryption and use hashing to store passwords to protect user accounts from attacks. The password_hash() function introduced in PHP 5.5 enables programmers to have passwords securely using various algorithms, including Argon2 and bcrypt.

As Tom Butler said in PHP & MySQL: Novice to Ninja:

Luckily, PHP includes a very secure password hashing method. It's created by people who know these aspects better than you and I, and it avoids developers like us who need to fully understand the security issues that may arise. Therefore, it is highly recommended that we have hashing passwords using the built-in PHP algorithm instead of creating our own.

Be sure to keep this in mind and stay up to date with the latest recommended hash algorithms to ensure the best security of your application.

Frequently Asked Questions on PHP Password Hashing

What is password hashing and why is it important in PHP? Password hashing is the process of converting a plaintext password into a fixed-length, irreversible character string. In PHP, it is important because it can protect user passwords by storing them in a hash form, making it difficult for attackers to retrieve the original password.

What hash algorithms should I use to hash the password in PHP? PHP provides password_hash() and password_verify() functions, and the bcrypt algorithm is used by default. Bcrypt is recommended as it is a secure password hashing option.

How to hash the password in PHP? You can hash the password using the password_hash() function. For example: password_hash($password, PASSWORD_BCRYPT).

How to verify hash password in PHP? To verify the hash password, use the password_verify() function. It checks if the given password matches the hashed version stored in the database.

When hashing in PHP, should I add salt to the password? Yes, it is recommended to use unique salt for each password before hashing. The password_hash() function automatically generates salt, so you don't need to manage it manually.

The above is the detailed content of Quick Tip: How to Hash a Password in PHP. For more information, please follow other related articles on the PHP Chinese website!