Tutorials › PHP for Beginners › Password Hashing

Password Hashing

5 min read Quiz at the end

Never store plain-text passwords. Use password_hash() to hash them with bcrypt or Argon2id, and password_verify() to check them on login. Never use MD5 or SHA1 for passwords — they are too fast and easily cracked.

Secure Password Handling

// NEVER store plain text passwords!
// NEVER use MD5 or SHA1!

// Hash a password (uses bcrypt by default)
$hash = password_hash("UserSecret123!", PASSWORD_DEFAULT);
// $2y$10$... (60 char bcrypt hash)

// Verify password
if (password_verify("UserSecret123!", $hash)) {
    echo "Password correct!";
}

// Check if rehash needed (after upgrading algorithm)
if (password_needs_rehash($hash, PASSWORD_DEFAULT)) {
    $hash = password_hash("UserSecret123!", PASSWORD_DEFAULT);
    // save new hash to database
}

// Argon2id (stronger — PHP 7.3+)
$hash = password_hash("secret", PASSWORD_ARGON2ID, [
    "memory_cost" => 65536,
    "time_cost"   => 4,
    "threads"     => 3,
]);

← File Upload Next: CSRF Protection →

Topic Quiz · 5 questions

Test your understanding before moving on

1. Which function should you use to hash passwords?

💡 password_hash() uses bcrypt by default and is the correct way to hash passwords.

2. Which function verifies a password against a hash?

💡 password_verify($plain, $hash) securely compares a plaintext password to a hash.

3. Why should you NOT use MD5 for passwords?

💡 MD5 is cryptographically broken and fast to brute force — never use for passwords.

4. What does PASSWORD_DEFAULT use?

💡 PASSWORD_DEFAULT currently uses bcrypt and may change to stronger algorithms in future PHP.

5. What is password_needs_rehash() for?

💡 password_needs_rehash() checks if the hash needs to be updated after changing hash parameters.

Quick Access

Password Hashing

Secure Password Handling

Test your understanding before moving on