Creating and Verifying Hashes in PHP, The Easy Way

PHP 5.5.0 was released yesterday, with it came a whole list of new features and functions. One of the new APIs available is the Password Hashing API. This API currently contains four functions, password_get_info(), password_hash(), password_needs_rehash(), and password_verify(). Let’s step through each of these functions.

First we will discuss password_hash(). This is what will be used to create a new hash for a password. It accepts three parameters, password, hashing algorithm, and options, with the first two being required. To use this function, you will do something like the following:

1
2
3
$password = 'foo';
$hash = password_hash($password,PASSWORD_BCRYPT);
//$2y$10$uOegXJ09qznQsKvPfxr61uWjpJBxVDH2KGJQVnodzjnglhs2WTwHu

You’ll notice we didn’t add any options to this hash. Available options are currently limited to cost and salt. To add options to your hash you create an associative array.

1
2
$options = [ 'cost' => 10,
             'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM) ];

By adding our options to password_hash() we can see that our hash has been changed, making it more secure.

1
2
$hash = password_hash($password,PASSWORD_BCRYPT,$options);
//$2y$10$JDJ5JDEwJDhsTHV6SGVIQuprRHZnGQsUEtlk8Iem0okH6HPyCoo22

Now that we have our hash, we can use password_get_info() to find out information about our newly created hash. password_get_info() requires one parameter, hash, and returns an associative array containing the algo, the int representation of the hashing algorithm used, the algoName, the human readable name of the hashing algorithm used, and options, the options used when creating the hash.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
var_dump(password_get_info($hash));
/*
array(3) {
  ["algo"]=>
  int(1)
  ["algoName"]=>
  string(6) "bcrypt"
  ["options"]=>
  array(1) {
    ["cost"]=>
    int(10)
  }
}
*/

The next function added in the Password Hashing API is password_needs_rehash(), it accepts three parameters, hash, hashing algorithm, and options, with the first two being required. The usage of password_needs_rehash() is to determine whether or not a hash was created with a specific algorithm and options. This could be useful if your database has been compromised and needs to have the hashed adjusted. By checking each hash with password_needs_rehash() we can see if the existing hash matches the new parameters, and affect only those that were created using old parameters.

Finally, now that we have created our hash, checked how it was created, and checked to see if it needed to be rehashed, we need to verify it. To verify plain text to a hash we must use the password_verify(), it requires two parameters, password and hash, and will return TRUE or FALSE. Let’s check our against our hash to verify we are correct.

1
2
3
4
$authenticate = password_verify('foo','$2y$10$JDJ5JDEwJDhsTHV6SGVIQuprRHZnGQsUEtlk8Iem0okH6HPyCoo22');
//TRUE
$authenticate = password_verify('bar','$2y$10$JDJ5JDEwJDhsTHV6SGVIQuprRHZnGQsUEtlk8Iem0okH6HPyCoo22');
//FALSE

With this knowledge you now have the power to quickly and securely create password hashes in the brand new PHP 5.5.0.

One comment

  1. outsourcingseonet.pbworks.com

    Creating and Verifying Hashes in PHP, The Easy Way

Share Your Thoughts