Password Hashing API

Hashing password using PHP 5.5 password hashing API

How to securely hash passwords in PHP?

There are a lot of ways a database with passwords can end up in unwanted hands. If the passwords are not securely hashed when this happens, the owner of the website is responsible and in much trouble, because often the users reuse their passwords on other sites as well. If you are thinking to secure your password by using md5 (or sha1 or even sha256)  without using any salt. Then you need to read this.

MD5 algorithm is reported prone to a hash collision weakness. This weakness reportedly allows attackers to create multiple, differing input sources that, when the MD5 algorithm is used, result in the same output fingerprint.

Common solution to preventing decryption is using the salt. But this will is not enough.

The new password hashing API exposes four simple functions:

  • password_hash() – used to hash the password.
  • password_verify() – used to verify a password against its hash.
  • password_needs_rehash() – used when a password needs to be rehashed.
  • password_get_info() – returns the name of the hashing algorithm and various options used while hashing.

The important thing here is that you don’t have to provide a salt value or a cost parameter. The new API will take care of all of that for you. And the salt is part of the hash, so you don’t have to store it separately. If you want to provide your own salt (or cost), you can do so by passing a third argument to the function, an array of options.

Here is a simple example

PASSWORD_DEFAULT – Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP

For more information visit official documentation

password hashing API