PHP 5.5 Password Hashing API

PHP 5.5 Password Hashing API

Most of the applications or websites today have a user registration system which requires storing usernames, passwords etc. A developer of the application should always store passwords securely and never in plain text. There are many methods to encrypt or hash passwords and store in the database but which method to use? The methods that are currently used are hashing password using algorithms like MD5(), SHA1(), BCRYPT.

MD5() and SHA1() methods are now considered weak. BCRYPT is currently considered the best algorithm to use for password hashing. However, correctly implementing it can be difficult (prior to PHP 5.5). In PHP 5.5 there is a new Password Hashing API which can be used very easily for hashing the passwords using BCRYPT algorithm.

There is no need of any installation or enabling of extensions if you are using PHP 5.5 as this comes as part of core PHP 5.5. The new password hashing API uses four simple functions.

Hashing password

To hash the password we can use the password_hash() function. Here is the code that can be used for hashing the password:

$hash = password_hash($password, PASSWORD_DEFAULT);

This code will create a password hash using the default password algorithm (currently BCRYPT), default load factor (currently 10) and an automatically generated salt. The algorithm used, cost and salt are all part of the hash, so we don’t have to worry about storing all these details.

If we don’t want to use the default values, then we can pass the different options (currently cost and salt) to the function. If we pass a salt to the function, than this will override and prevent a salt from being automatically generated. Here is an example with cost as 12 and the algorithm as BCRYPT instead of default (although currently PASSWORD_DEFAULT and PASSWORD_BCRYPT both uses BCRYPT algorithm)

$options = [
    'cost' => 12,
];
$hash = password_hash($password, PASSWORD_BCRYPT, $options);

Verifying password

To verify if the password is correct or not we can use the password_verify() function. Here is the code that can be used for password verification.

// $password from user, $hash from database
if (password_verify($password, $hash))
{
    // Valid Password.
}
else
{
    // Invalid Password.
}

Rehashing Passwords

In case PHP changes its default hashing algorithm or you want to change the cost, then there might be need to update the password hash. To verify if the password hash needs to be updated we can use the password_needs_rehash() function. Here is the code that can be used to verify if the password needs to be rehashed.

if (password_needs_rehash($hash, PASSWORD_DEFAULT))
{
    // Password needs to be rehashed.
}

If you were using non defaults for the original hashing, then you can use the code similar to following:

$options = [
    'cost' => 12,
];
if (password_needs_rehash($hash, PASSWORD_BCRYPT, $options))
{
    // Password needs to be rehashed.
}

If we know that the password needs to be rehashed then we can just use the password_hash() function to hash the password. We can do this only on login since we will need the actual password to hash it.

Conclusion

This new API and its functions make it very easy to encrypt passwords using a secure hashing algorithm and also to verify the passwords. If your website is running on PHP 5.5, then my recommendation is to start using this new hashing API.

Also, in case you are using PHP 5.3.7 (or later) and want to use this new API, there is a password_compat library which provides forward compatibility with the above functions. This library automatically disables itself once you upgrade to PHP 5.5.

Leave a Reply