Verifying a password against a hash in PHP

Total Views : 14
Zoom In Zoom Out Read Later Print

As more secure web services avoid storing passwords in plain text format, languages such as PHP provide various (undecryptable) hash functions to support the more secure industry standard. This topic provides information about how to verify a password hash in PHP.

password_verify() is the built-in function provided (as of PHP 5.5) to verify the validity of a password against a known hash.

<?php
if (password_verify($plaintextPassword, $hashedPassword)) {
    echo 'Valid Password';
} else {
    echo 'Invalid Password.';
}
?>

All supported hashing algorithms store information identifying which hash was used in the hash itself, so there is no need to indicate which algorithm you are using to encode the plaintext password with.

If the password_* functions are not available on your system (and you cannot use the compatibility pack linked in the remarks below) you can implement password verification with the crypt() function. Please note that specific precautions must be taken to avoid timing attacks.

<?php
// not guaranteed to maintain the same cryptographic strength of the full `password_hash()`
// implementation
if (CRYPT_BLOWFISH == 1) {
    // `crypt()` discards all characters beyond the salt length, so we can pass in
    // the full hashed password
    $hashedCheck = crypt($plaintextPassword, $hashedPassword);
    // this a basic constant-time comparison based on the full implementation used
    // in `password_hash()`
    $status = 0;
    for ($i = 0;$i < strlen($hashedCheck);$i++) {
        $status |= (ord($hashedCheck[$i]) ^ ord($hashedPassword[$i]));
   
    } if ($status === 0) {
        echo 'Valid Password';
    } else {
        echo 'Invalid Password';
    }
}
?>


See More

Latest Photos