How to create secure password in php 5.5+ with hashing

In this tutorial I’ll show you how to hash password in php 5.5 and verify the same. Most of the developer still using old password encryption method in php like MD5 and SHA1. You must update your password hashing algorithm. In latest php5.5 there is a two function (password_hash(), password_verify()) which will help you create more secure password and verify the same.

Note: These functions are only compatible on php5.5+
In this new hashing algorithm it uses bcrypt (its a key derivation function for passwords). So here we’ll learn how to use these new php function to create more secure password.
password_hash(): Creates a password hash

string password_hash ( string $password , integer $algo [, array $options ] )

password_verify(): Verifies that a password matches a hash

boolean password_verify ( string $password , string $hash )

Use default method to quick hash your password.

$password = '';
echo password_hash($password, PASSWORD_DEFAULT);

Output: $2y$10$ytD4OrhnhWGC1TwFVqL5IeTD54Q9Gdrgw4mn3Nq230x7p6OKCF4qK

This is presently BCRYPT, and will produce a 60 character result, Beware that DEFAULT may change over time, so you would want to prepare,By allowing your storage to expand past 60 characters (255 would be good)

Lets change the default settings and allow default cost for BCRYPT to 12.
Note: that we also switched to BCRYPT, which will always be 60 characters.

   $password = '';
   $options = [
    'cost' => 12,
  echo password_hash($password, PASSWORD_BCRYPT, $options);

After successful hashing time to verify your hashed password.
Verifies that the given hash matches the given password.
Note that password_hash() returns the algorithm, cost and salt as part of the returned hash. Therefore, all information that’s needed to verify the hash is included in it. This allows the verify function to verify the hash without needing separate storage for the salt or algorithm information.

$password = '';
// See the password_hash() example to see where this came from.
$hash = '$2y$10$ytD4OrhnhWGC1TwFVqL5IeTD54Q9Gdrgw4mn3Nq230x7p6OKCF4qK';
if (password_verify($password, $hash)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';


If you like this post please don’t forget to subscribe my public notebook for more useful stuff