Store passwords securely in PHP to prevent password hacking
November 10, 2016 Comments 0 103 Views

Store passwords securely in PHP to prevent password hacking

While creating an application using PHP there are maximum chances that you have login for which you have to store user data which also contain passwords for login. We will show you, how you can store password securely in PHP.

Methods to store passwords securely.

There are many method to secure the password in PHP by encrypting passwords with functions like crypt(), md5(), password_hash() etc. This methods basically encrypt your password with inbuilt algorithm which make it not readeable for humans. So no one knows what is a password by looking into the encrypted password string.

Hashing a Password with password_hash() function.

password_hash function create password with hashing algorithm. It works with PHP 5.5+ versions and have strong one-way hashing algorithm. It is also compatible with crypt() function so hashes created by the function crypt() can also be used with password_hash() function.

It support 2 algorithm which are PASSWORD_DEFAULT and PASSWORD_BCRYPT.

PASSWORD_DEFAULT – Default algo is presently BCRYPT only and will produce a 60 character of string in result. But as this is default and can be change overtime so you need to have good space in database to store it. Keeping your password field in database with 255 characters will help to take care increased string encryption in future.

PASSWORD_BCRYPT – Using the PASSWORD_BCRYPT as the algo, will result in password parameter being truncated to a maximum length of 72 characters.

To create password from hash is simple. Below is the code which will convert your password into hash.

In above code we pass the password which we want to hash and got the hash encrypted string which is secure and can be store in database. So any one having access to database will only see the hash string and not a actual password.

Validate and Check the hash password.

We will validate the password from the stored one in hash format and the new one entered by user. We will keep thing simple and easy to understand. Below is the code where password_verify do all the task and we just need to pass the stored hash string and new string. password_verify() function returns Boolean i.e true & false which says password is matched or not.

In the above example the password will match because we have provided a same password as stored earlier in hash format. You can also use password_verify() function for the hash created with crypt() function.

Always store passwords by encrypting them with a secure method. Above example are tested in PHP 5.6+ version so you can leave comment below in case of any issue you face while working with same and we will be happy to help you out.

Previous Secure Wordpress login with additional Authentication Layer
Next ZIP Files & Folder using Simple PHP Code

About author

Rio
Rio 36 posts

Expert web developer working in PHP, Wordpress, Joomla, Magento, Javascript etc.

You might also like

Difference between echo and print statements

In PHP there are two basic ways to get your output : echo and print statements. We will show the difference between echo and print statements with a working example.

How to detect website is access from Mobile using PHP.

Todays trend shows that maximum number of website access using mobile is increased. People are using smart phone to access the mobile instead of their desktop OR laptop. Because mobile

Post data to third party site using PHP CURL

PHP supports CURL library which allows you to connect and communicate to many different types of servers with many different types of protocols and supports the http, https, ftp etc.

PHP 7 Using New Operators

PHP 7 also brings us some new operators. Let’s just cut the talk and directly check how PHP 7 Using New Operators. Spaceship Operator : The spaceship operator, or Combined Comparison

Using Type Declarations in PHP 7

PHP is considered to be a weak typed language. Using type declarations in PHP 7 simply means specifying which type of variable is being set instead of allowing PHP to

Secure directory by allowing access to IP address & Deny all using htaccess

Your website may have folders which you want to keep secure access using URL. For example Admin area you want to keep secure to access using particular IP address and

Get list of Images from a Folder using PHP

With PHP you can get list of all images available under any particular folder. You can use preg_grap function to check file extension and get list of file having required

Creating HTML Form with PHP Server Side Validation.

This article will explain how you can create a HTML Form and do server side validation for the form. So the form which will display will be plain HTML and

Error Handling in PHP 7

The next feature we going to cover are the changes to Error Handling. Handling fatal errors in the past has been next to impossible in PHP. A fatal error would