Home/Guides/PHP password_hash Examples

PHP Security Guides

PHP password_hash Examples

Use password_hash and password_verify correctly for PHP login password storage.

PHP includes a dedicated password API. Use it instead of plain hashing functions for login passwords.

Code examples

$hash = password_hash($password, PASSWORD_DEFAULT);

Verify a login attempt:

if (password_verify($password, $hash)) {
    // Password is valid.
}

Common errors

Do not use md5(), sha1(), or raw hash('sha256', ...) for password storage. Those functions are not password hashing APIs.

Try the PHP Password Hash Generator Helper.

FAQ

Should I choose bcrypt manually?

PASSWORD_DEFAULT is usually a good default because PHP can update it over time.

Can I compare password hashes with ===?

No. Use password_verify to check a password against a stored hash.

Related tools