Hash passwords

Do NOT hash passwords yourself

$password = "asdf123";

$secret = password_hash($password, PASSWORD_BCRYPT);

//Store $secret in database

It is easy to do password securityin any language. PHP makes it very easy to do this, but yet (partly due to very old tutorials) many do this the wrong way, and the end result might be totally insecure. This is how it is done the right way:, PHP has a built-in function that does everything for you in a secure manner - password_hash:

The password_hash will use a secure hash algorithm as well as seed it with a cryptographically secure pseudorandom salt. It will then return this information (hash + salt) in a single string suitable for storing with the user's record in the database.



Verify password

do NOT verify the password yourself

if (password_verify($password_entered, $stored_secret))

{

//Password OK

}

else

{

//Password not OK

}

Again -, PHP has a built-in function that does this for you in a secure manner - password_verify:Simple and secure!NB. Also do not forget to use the function password_needs_rehash when authenticating users. This enables you to update algorithms as the currently recommended standards changes.