How to Secure hash and salt for PHP passwords ?

Salting and hashing is a technique to store the password in a database. In cryptography, salting means to add some content along with the password and then hashing it. So salt and hash provide two levels of security. Salting always makes unique passwords i.e if there are two same passwords, after salting, the resulting string will change. Salting used along with hashing increases the level of security of the passwords.

Salting and hashing: In PHP, storing the password by salting and hashing is done by the password_hash() method. This method takes three parameters and returns a final hash of that password.

Syntax:



string password_hash( string $pass, int $algo, array $options )

Parameters:

  • $pass: This parameter holds the password that is to be secured and stored in database.
  • $algo: It specifies the hashing algorithm that is used to create the hash of $pass. Some of the algorithm parameters in php are:
    1. PASSWORD_DEFAULT: Use the bcrypt algorithm (default as of PHP 5.5.0). This constant is designed to change over time as new and stronger algorithms are added to PHP.
    2. PASSWORD_BCRYPT: It is the CRYPT_BLOWFISH algorithm to create the hash. The result in a 60 character string or give a FALSE on failure.
  • $options: It is the salting part. It takes salt in form cost factor. It is optional, if left empty, default cost is added to the string (It is 10 in most cases). Note that more cost leads to a more protective password and thus puts heavy load on CPU.

Return Value: It returns the hashed password and FALSE on failure.

Example: This example is a demonstration of showing the password_hash(), making of hash and comparing it.

filter_none

edit
close

play_arrow

link
brightness_4
code

<?php
  
// Store the string into variable
$password = 'Password';
  
// Use password_hash() function to
// create a password hash
$hash_default_salt = password_hash($password,
                            PASSWORD_DEFAULT);
  
$hash_variable_salt = password_hash($password,
        PASSWORD_DEFAULT, array('cost' => 9));
  
// Use password_verify() function to
// verify the password matches
echo password_verify('Password',
            $hash_default_salt ) . "<br>";
  
echo password_verify('Password',
            $hash_variable_salt ) . "<br>";
  
echo password_verify('Password123',
            $hash_default_salt );
  
?>

chevron_right


Output:

1
1
0

In this example, the password_verify() method is used to compare the hash created with the string entered as a parameter. It takes the hash and the string to be compared as parameters and return true if the password is correct else it returns false.




My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.