PHP Password Hash Function

password_hash() handles salting and algorithhm selection for you, its baked into PHP, just use it and don’t worry about how to hash and salt.

  $HashedPassword = password_hash($UsersEnteredPassword, PASSWORD_BCRYPT);
  //
  //$HashedPassword The result will always be a 60 character string, or FALSE on failure.  The string  incorporates the algorithm used, cost and salt as part of the returned hash.
  //You store the string in your db (no need to sepeeratly store salt) and then use it to verify passwords later.
  //Future hashing may return more than 60 characters if the defautl algorithm moves away from bcrypt, so you should store in a db column that can take 255 characters
  //To verify it:
  if (password_verify($UsersEnteredPassword, $HashedPassword))

BCRYPT output uses a fixed limited character set and is OK to use directly in SQL strings.

If you need to force to fixed settings

  //Normally password_hash() picks the algorithm, cost and salt for you and stores it within the hash.  However if you need fixed settings for some reason you can use like this
  $HashedPassword = password_hash($UsersEnteredPassword, PASSWORD_BCRYPT, ['cost' => 10, 'salt' => ':bKRL@`8Ax]k7G7DM^6g&efeU52H/-p']);      
  if ($HashedPassword == FALSE )
    return;
Feel free to comment if you can add help to this page or point out issues and solutions you have found. I do not provide support on this site, if you need help with a problem head over to stack overflow.

Comments

Your email address will not be published. Required fields are marked *