Verifying a password against a hash

suggest change

password_verify() is the built-in function provided (as of PHP 5.5) to verify the validity of a password against a known hash.

<?php
if (password_verify($plaintextPassword, $hashedPassword)) {
    echo 'Valid Password';
}
else {
    echo 'Invalid Password.';
}
?>

All supported hashing algorithms store information identifying which hash was used in the hash itself, so there is no need to indicate which algorithm you are using to encode the plaintext password with.

If the password_* functions are not available on your system (and you cannot use the compatibility pack linked in the remarks below) you can implement password verification with the crypt() function. Please note that specific precautions must be taken to avoid timing attacks.

<?php
// not guaranteed to maintain the same cryptographic strength of the full `password_hash()`
// implementation
if (CRYPT_BLOWFISH == 1) {
    // `crypt()` discards all characters beyond the salt length, so we can pass in
    // the full hashed password
    $hashedCheck = crypt($plaintextPassword, $hashedPassword);

    // this a basic constant-time comparison based on the full implementation used
    // in `password_hash()`
    $status = 0;
    for ($i=0; $i<strlen($hashedCheck); $i++) {
        $status |= (ord($hashedCheck[$i]) ^ ord($hashedPassword[$i]));
    }

    if ($status === 0) {
        echo 'Valid Password';
    }
    else {
        echo 'Invalid Password';
    }
}
?>

Found a mistake? Have a question or improvement idea? Let me know.

Password hashing:

* Password Hashing Functions

* Creating a password hash

* Determine if an existing password hash can be upgraded to a stronger algorithm

* Verifying a password against a hash

Table Of Contents

0 Getting started

1 Variables

2 Arrays

3 Functional programming

4 Types

5 Autoloading primer

6 Exception handling and error reporting

7 Working with dates and time

8 Sending email

9 Sessions

10 Cookies

11 Classes and objects

12 Password hashing

13 Output buffering

14 JSON

15 SOAP

16 Reflection

17 cURL

18 Dependency injection

19 XML

20 Regular expressions

21 Traits

22 Namespaces

23 Parsing HTML

24 Composer dependency manager

25 Magic methods

26 Alternative syntax for control structures

27 File handling

28 Magic constants

29 Type hinting

30 Multi-threading extension

31 Filters, filter functions

32 Generators

33 Operators

34 Constants

35 UTF-8

36 URLs

37 Object serialization

38 PHPDoc

39 Contributing to PHP Manual

40 String parsing

41 Loops

42 Control structures

43 Serialization

44 Closur

45 Reading request data

46 Type juggling and non-strict comparison issues

47 Security

48 PHP MySQLi

49 Command Line Interface CLI

50 Localization

51 Debugging

52 Superglobal variables

53 Unit testing

54 Variable scope

55 References

56 Compilation errors and warning

57 Installing PHP on Windows

58 DateTime class

59 Headers manipulation

60 Performance

61 Common Errors

62 Installing on Linux / Unix

63 Contributing to PHP Core

64 Coding conventions

65 Using MongoDB

66 Asynchronous programming

67 Using SQLSRV

68 Unicode Support

69 Functions

70 Create PDF files

71 Hot to detect client IP address

72 YAML

73 Image processing with GD

74 Multiprocessing

75 SOAP Server

76 Machine learning

77 Cache

78 Streams

79 Array iteration

80 Cryptography

81 PDO

82 SQLite3

83 Sockets

84 Outputting the value of a variable

85 String formatting

86 Compile PHP extensions

87 MongoDB

88 Manipulating an array

89 Executing upon an array

90 Processing multiple arrays together

91 SPL data structures

92 Comments

93 IMAP

94 Redis

95 Imagick

96 SimplXML

97 HTTP Authentication

98 Recipies

99 BC Math Binary Calculator

100 Docker deployment

101 WebSockets

102 APCu

103 Design patterns

104 Secure remember me

105 PHP mysqli

106 PHP built-in server

107 How to break down an URL

108 PSR

109 Contributors