{
    "slug": "password_verify",
    "term": "password_verify()",
    "category": "php",
    "difficulty": "beginner",
    "short": "Checks a plaintext password against a bcrypt/Argon2 hash produced by password_hash() — the correct way to validate passwords.",
    "long": "password_verify($plaintext, $hash) compares a user-supplied password against a stored hash created by password_hash(). It automatically extracts the algorithm, cost, and salt from the stored hash string and is timing-safe. Never compare password hashes with == or === — this is vulnerable to timing attacks and type juggling. password_verify() always returns bool and handles all supported PHP password algorithms transparently.",
    "aliases": [
        "password_verify()",
        "PHP password check",
        "bcrypt verify"
    ],
    "tags": [
        "php",
        "authentication",
        "security",
        "passwords"
    ],
    "misconception": "password_verify() can be replaced with hash comparison using ===. password_verify() performs a constant-time comparison internally. Using === leaks timing information, and also fails to account for future algorithm upgrades handled automatically by password_needs_rehash().",
    "why_it_matters": "password_verify() extracts the algorithm and salt from the stored hash and recomputes it — it is the only correct way to verify a password_hash() result because the salt is embedded.",
    "common_mistakes": [
        "Comparing hashes with === instead of password_verify() — the embedded salt means the same password produces different hashes.",
        "Not calling password_needs_rehash() after a successful verify — misses the opportunity to upgrade old hashes.",
        "Using password_verify() to compare non-password hashes like HMACs — use hash_equals() for those.",
        "Assuming password_verify() is timing-safe against all attacks — it is, but only use it for password_hash() outputs."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "password_hash",
        "bcrypt",
        "argon2",
        "timing_attack",
        "hash_equals"
    ],
    "prerequisites": [
        "key_derivation_functions",
        "bcrypt",
        "authentication_bypass"
    ],
    "refs": [
        "https://www.php.net/manual/en/function.password-verify.php"
    ],
    "bad_code": "// Wrong — hashing again and comparing:\n$inputHash = password_hash($input, PASSWORD_BCRYPT);\nif ($inputHash === $storedHash) { /* Always false — different salts */ }\n\n// Correct:\nif (password_verify($input, $storedHash)) { /* Correct */ }",
    "good_code": "// Constant-time, extracts salt from hash automatically\n\\$hash  = \\$user->password; // from database\n\\$input = \\$_POST['password'];\n\nif (password_verify(\\$input, \\$hash)) {\n    // Authenticated — check if rehash needed\n    if (password_needs_rehash(\\$hash, PASSWORD_ARGON2ID, ['memory_cost' => 65536])) {\n        \\$new = password_hash(\\$input, PASSWORD_ARGON2ID);\n        User::where('id', \\$user->id)->update(['password' => \\$new]);\n    }\n} else {\n    // Wrong password — use identical code path as 'user not found' to prevent enumeration\n    abort(401, 'Invalid credentials');\n}",
    "quick_fix": "Use password_verify($input, $hash) — it's constant-time and handles the salt embedded in the bcrypt/argon2 hash automatically; never compare hashes with == or ===",
    "severity": "critical",
    "effort": "low",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/password_verify",
        "html_url": "https://codeclaritylab.com/glossary/password_verify",
        "json_url": "https://codeclaritylab.com/glossary/password_verify.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[password_verify()](https://codeclaritylab.com/glossary/password_verify) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/password_verify"
            }
        }
    }
}