CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

password_hash() — Native Bcrypt (PHP 5.5)

php PHP 5.5+ Beginner

TL;DR

PHP 5.5 added password_hash() and password_verify() — the only correct way to hash and verify passwords. Never use MD5, SHA1, or unsalted hashes.

Explanation

password_hash($password, PASSWORD_BCRYPT) generates a bcrypt hash with automatic salting. password_verify($input, $hash) verifies. PASSWORD_DEFAULT currently means bcrypt but may change — store the full hash string including algorithm prefix. PHP 7.2+ adds PASSWORD_ARGON2I. PHP 7.3+ adds PASSWORD_ARGON2ID (preferred). password_needs_rehash($hash, PASSWORD_DEFAULT) checks if rehashing is needed after algorithm upgrades. Never: MD5/SHA1 for passwords, unsalted hashes, static salts, or reversible encryption for passwords.

Common Misconception

MD5 with a salt is secure for passwords — MD5 is a fast hash designed for checksums, not passwords. Bcrypt/Argon2 are specifically designed to be slow for brute-force resistance.

Why It Matters

Password storage is the single most critical security function in most web apps — one wrong choice exposes every user's credentials in a breach.

Common Mistakes

  • Using MD5($password) or SHA1($password) — crackable in seconds with rainbow tables.
  • Not using password_needs_rehash() during login — fails to upgrade old hashes.
  • Truncating passwords before hashing — bcrypt has 72-byte limit in older implementations.

Code Examples

✗ Vulnerable 
$hash = md5($password); // Crackable instantly
$hash = md5($password . $salt); // Still fast, GPU-crackable
$hash = sha256($password); // Wrong tool — designed for speed
✓ Fixed 
// Hash on registration:
$hash = password_hash($password, PASSWORD_ARGON2ID);

// Verify on login:
if (password_verify($inputPassword, $storedHash)) {
    // Upgrade hash if algorithm changed:
    if (password_needs_rehash($storedHash, PASSWORD_ARGON2ID)) {
        $newHash = password_hash($inputPassword, PASSWORD_ARGON2ID);
        // Store $newHash
    }
}
Added 23 Mar 2026
Views 165

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 4 pings W 5 pings T 6 pings F 7 pings S 4 pings S 2 pings M 2 pings T 2 pings W 0 pings T
Agents 0
No pings yet today
ChatGPT 1
ChatGPT 109 Perplexity 23 Google 11 Amazonbot 7 Unknown AI 4 Ahrefs 1
Also referenced
Timing Attack 32 Weak Password Hash 23 Type Coercion in Authentication Checks 22
How they use it
crawler 151 crawler_json 3 pre-tracking 1
Related categories
php 6.3k security 4k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Medium
⚡ Quick Fix
Replace all MD5/SHA1 password hashing with password_hash(PASSWORD_ARGON2ID). Add password_needs_rehash() check on login. Never store plaintext or reversible passwords.
📦 Applies To
PHP 5.5+ web cli
🔗 Prerequisites
🔍 Detection Hints
md5.*password|sha1.*password|sha256.*password
Auto-detectable: ✓ Yes phpcs semgrep phpstan
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Medium Context: Function Tests: Update
CWE-916 CWE-328 CWE-759
✓ schema.org compliant