How to Secure Password Using bcrypt in PHP?

In this tutorial, I will show you how to secure passwords using bcrypt in PHP? This tutorial will be point-to-point so each level of the developer can understand easily. I will explain every point related to this topic. So please read till the end.

Everyone knows that the plain text password stored in the database is not secure and attackers can easily crack this password. So do not store plain text as a password.

Why You Should Not Use Plain Text Password?

You should never use simple plain text as a password in the database. It will be very risky and you can lose your data because a plain text password is very easy to crack for attackers.

If you enter a password like “password123” and store it in the database the same as it then you will be in trouble, attackers can harm your all data or can delete it. So always used alphanumeric and special characters in the password and then make it hash the password using the inbuilt function password_hash() in PHP.

The password_hash() is the inbuilt function and uses a strong algorithm to make the password secure. We will understand below with an example.

What is the mean Encrypt and Decrypt Password?

We all use to say encrypt the password or decrypt the password but actually, there is no algorithm for decrypt the password. We can only encrypt the password add salt to make it secure using inbuilt functions like password_hash(), md5(), and sha1(). But I would suggest you use the password_hash() function. It is very secure. And it is available for PHP 5.5 or above.

Are you wonder, then how you can know that if a user enters the correct password or not? It is very simple and easy to understand how the password_hash() algorithm works.

So, when the user enters the password then we don’t check this plain text match with that password stored in the database. Actually, we compare the two hashes password. Firstly, we convert the user input password into a hash password and then we compare this with the stored password in the database. If two hashes match then the user input password is correct.

Bcrypt in PHP Using password_hash()

As I said above, the password_hash() function is an inbuilt function in PHP 5.5 or above. It uses a very strong algorithm to create a new password hash. It is very tough for attackers to crack the password of this algorithm. This is a one-way algorithm, which means you cannot get the original text back after encrypting with this function. You have to use the password_verify() function for comparison to check the user has entered the wrong password or not.

The password_hash() function is compatible with crypt() function, which means those password hashes created by crypt() function can be used password_hash() function for comparison.

Syntax

password_hash ( string $password , mixed $algorithm , array $options)

In this function, all parameter has a different role like:
$password: This parameter used to hold the user password
$algorithm: This will be the password algorithm name which one we want to use.
$options: This will an associative array with salt name. If we leave it as blank then password_hash() function will use randomly salt to make a secure password.

The following algorithms are currently supported:

1. PASSWORD_DEFAULT
2. PASSWORD_BCRYPT
3. PASSWORD_ARGON2I
4. PASSWORD_ARGON2ID

You can read more about these algorithms here.

Let’s see the examples of each algorithms:

PASSWORD_DEFAULT

<?php echo password_hash("yourblogcoach@123", PASSWORD_DEFAULT);

     //OUTPUT: $2y$10$4L9C4Cr5izA6e4Bc40JjXOmGkp3TBHwJkV2KK/Q127cSTUFZjf3OG
?>

PASSWORD_BCRYPT

<?php $options = [
         'cost' => 16,
     ];
  
     echo password_hash("yourblogcoach@123", PASSWORD_BCRYPT, $options);

     //OUTPUT: $2y$16$yuRHH6hWO.WsoKlD/hfP3.ZCdZpyp2b.KVkW5KqhOTLDLZBHPYMEu 
?>

PASSWORD_ARGON2I

<?php $options = [
         'cost' => 5,
     ];
  
     echo password_hash("yourblogcoach@123", PASSWORD_ARGON2I, $options);

     //OUTPUT: $argon2i$v=19$m=65536,t=4,p=1$a0p1b3VxZXN5b2wzZEd5Zg$3dza7puKDWDmKLUYxuo16AyFB4yegketp7hYiF/3Brw
?>

PASSWORD_ARGON2ID

<?php $options = [
         'cost' => 5,
     ];
  
     echo password_hash("yourblogcoach@123", PASSWORD_ARGON2ID, $options);

     //OUTPUT: $argon2id$v=19$m=65536,t=4,p=1$c0g5RkVVZ1JXQU1YVDh6dA$SiJebVOq8lN5ABOkWXs5Wy2DwK8w0wD2cFGwBS8Z2t8
?>

So these are the examples of each algorithms. Check it carefully and see the difference of each one.

Note: PASSWORD_ARGON2I and PASSWORD_ARGON2ID algorithms will only work if PHP has been compiled with Argon2 support.

How to Verify Users Password

Ok. So you have saved the password hash in the database using the above function with bcrypt in PHP and now want to confirm the users entered the correct password or wrong. So, for this we need to use password_verify() function. It will compare the user entered password and database stored password. If it match then it means password is correct and you can make specific condition on success at this step in code.

Let’s see the example below:

$servername = "localhost";
$uname = "root";
$pass = "";
$dbname = "myDB";

// Create connection
$conn = new mysqli($servername, $uname, $pass, $dbname);
// Check connection
if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
} 

//Input Value
$username= $_POST['username'];
$password = $_POST['password'];

$user_sql = "SELECT id, username, password FROM users WHERE username = '".$username."'";
$user_result = $conn->query($user_sql);

$db_password = '';
while($row = $user_result->fetch_assoc()) {
    $db_password = $row["password"];
}

if($user_result !== false){
    //Compare the password attempt with the password we have stored.
    $validPassword = password_verify($password, $db_password);
    if($validPassword){
        //your code here on success
    }
}

$conn->close();

Explain the above code what I did in code?
Firstly, I made a connection to my host server and connect it. Then I get the user’s value from the database belongs to this user with matches the username condition. And then finally we have both value user input password and stored password. So we compare these two password with password_verify() function to check password is correct or not. It is very simple check it line by line.

So, That’s it.

I hope you understand how to secure password using bcrypt in PHP. If you still have any query then let me know I will help you with that.

READ MORE ARTICLE
How to Prevent SQL Injection in PHP to save your data from the attackers.