Priya R Priya R
Updated date Nov 02, 2023
In this blog, we will learn how to protect user data by hashing passwords in PHP. Explore multiple methods and best practices to ensure data security.

Introduction:

In today's world, where data security is paramount, it is essential to protect sensitive information like user passwords. Storing passwords as plain text is a significant security risk, as any breach can expose users' personal information. The solution is to hash passwords, making it challenging for attackers to reverse-engineer them. In this blog, we will explore the importance of password hashing and provide you with a step-by-step guide on how to convert a plain text password into a secure hashed password using PHP

Why Password Hashing?

Password hashing is a process that transforms a plain text password into a fixed-length string of characters, making it nearly impossible for an attacker to retrieve the original password. Instead of storing the actual password, a system stores the hash, adding a layer of security to user data. When a user logs in, their input is hashed and compared to the stored hash, verifying their identity without exposing their actual password.

Method 1: Using md5()

The first method we will explore uses the md5() function, a simple hashing technique in PHP. While this method is straightforward, it's not the most secure choice due to its vulnerability to precomputed rainbow tables.

<?php
$password = "my_secure_password";
$hashed_password = md5($password);
echo "Hashed Password (md5): " . $hashed_password;
?>

Output: 

Hashed Password (md5): 128edde1f020933bed974c419107ab4d

The md5() function converts the input string "my_secure_password" into a 32-character hexadecimal hash. While this method is fast and easy to implement, it's no longer recommended for secure password hashing because it lacks the necessary computational complexity.

Method 2: Using SHA-1

Another simple hashing method in PHP is using the sha1() function. Similar to md5(), it produces a hexadecimal hash but is also considered insecure due to its vulnerability to attacks.

<?php
$password = "my_secure_password";
$hashed_password = sha1($password);
echo "Hashed Password (sha1): " . $hashed_password;
?>

Output: 

Hashed Password (sha1): 2b3b22c961c4050a31722f53bdf6e0b1b887f4e9

The sha1() function hashes the input password "my_secure_password" into a 40-character hexadecimal hash. Just like md5(), this method is no longer recommended for secure password storage due to its vulnerability to attacks.

Method 3: Using password_hash()

To enhance the security of password hashing, PHP introduced the password_hash() function, which uses a strong algorithm (currently bcrypt) and automatically generates a random salt for each password.

<?php
$password = "my_secure_password";
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
echo "Hashed Password (password_hash): " . $hashed_password;
?>

Output:

Hashed Password (password_hash): $2y$10$5YgNpA.F82fKhddav0trYOTGdwIQtK8s57v/qQss.jOnI0M81jCz5

The password_hash() function hashes the input password "my_secure_password" using bcrypt, and the generated hash includes a salt and algorithm information. This method is considered much more secure than md5() or sha1() as it incorporates modern cryptographic techniques.

Method 4: Verifying Passwords with password_verify()

After hashing a password, it's essential to verify it during the login process. PHP provides the password_verify() function for this purpose.

<?php
$stored_hash = "$2y$10$5YgNpA.F82fKhddav0trYOTGdwIQtK8s57v/qQss.jOnI0M81jCz5";
$login_password = "my_secure_password";

if (password_verify($login_password, $stored_hash)) {
    echo "Password is correct!";
} else {
    echo "Password is incorrect.";
}
?>

Output: 

Password is correct!

In this example, we have a stored hash (generated using password_hash()) and a password entered during login. The password_verify() function checks if the entered password matches the stored hash, providing a secure way to verify passwords.

Method 5: Adding Salts for Extra Security

While using password_hash() is highly secure, adding a unique salt to each password before hashing can further enhance security. A salt is random data that is combined with the password before hashing, making it even more challenging for attackers to crack the hashes.

Here's how to create a salted hash using PHP:

<?php
$password = "my_secure_password";
$salt = bin2hex(random_bytes(16)); // Generate a 16-byte random salt
$hashed_password = password_hash($salt . $password, PASSWORD_DEFAULT);
echo "Salt: " . $salt . "<br>";
echo "Salted Hashed Password: " . $hashed_password;
?>

Output:

Salt: 8e9aebe2f4f65cebf3f245a7c8a1998d
Salted Hashed Password: $2y$10$8e9aebe2f4f65cebf3f245a7c8a1998dfwnc.kKOn1KQ/cZy0DJc7

In this method, a unique salt is generated and combined with the user's password before hashing. This ensures that even if two users have the same password, their hashed passwords will differ due to the unique salts. This extra layer of security mitigates risks associated with hash table attacks.

Method 6: Choosing a Stronger Hashing Algorithm

PHP allows you to specify the hashing algorithm when using password_hash(). While PASSWORD_DEFAULT is suitable for most scenarios, you can choose a stronger algorithm explicitly, such as PASSWORD_BCRYPT or PASSWORD_ARGON2I. These algorithms are more resistant to brute-force attacks.

<?php
$password = "my_secure_password";
$hashed_password_bcrypt = password_hash($password, PASSWORD_BCRYPT);
$hashed_password_argon2i = password_hash($password, PASSWORD_ARGON2I);

echo "Hashed Password (bcrypt): " . $hashed_password_bcrypt . "<br>";
echo "Hashed Password (argon2i): " . $hashed_password_argon2i;
?>

Output: 

Hashed Password (bcrypt): $2y$10$zrx4YjC7dyAv/60BrnOc2eZn3RSjZNNCgB9QH7f9fNANh1n1.b3m6
Hashed Password (argon2i): $argon2i$v=19$m=1024,t=2,p=2$eWVy2fyJQmM89VW6nT9weEZZCOpfVgYSabDXhDk25HjDR/fswbU3U

In this example, we demonstrate the use of two stronger hashing algorithms, bcrypt and argon2i, to create secure password hashes. These algorithms are recommended for applications where the highest level of security is required.

Conclusion:

Protecting user passwords is a fundamental aspect of data security in any web application. Storing passwords as plain text is no longer an option. Instead, utilizing robust hashing techniques like the ones discussed in this blog can help safeguard sensitive information and ensure the trust of your users.

In this blog, we have explored several methods for converting plain text passwords into securely hashed passwords using PHP. We have started with basic techniques like md5() and sha1() and progressed to the recommended method of using password_hash() with or without adding salts and using strong algorithms.

Comments (0)

There are no comments. Be the first to comment!!!