Skip to main content

bcrypt Hashing in PHP: password_hash() Guide

Use PHP's password_hash() with PASSWORD_BCRYPT to securely store passwords. Includes verification, rehashing, and Argon2id migration examples.

PHP has built-in bcrypt support through the password_hash() function, introduced in PHP 5.5. There is no library to install — bcrypt password hashing is part of PHP's core. This makes PHP one of the easiest languages to implement secure password hashing correctly. The PASSWORD_BCRYPT constant selects the bcrypt algorithm, and PHP handles salt generation and formatting automatically.

How to Use the bcrypt Generator Tool

  1. Enter a password — Type or paste the password you want to hash.
  2. Set the cost factor — Adjust the rounds/cost (default 10; recommended 12 for modern servers).
  3. Generate the hash — Copy the 60-character hash string for comparison with your PHP output.
  4. Implement in PHP — Use password_hash() and password_verify() as shown below.

Hashing and Verifying Passwords in PHP

<?php

// Hashing a password
$password = 'mySecretPassword';
$hash = password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]);
// $hash = '$2y$12$...' (60-character string)

// Store $hash in your database — never store $password

// Verifying a password at login
function verifyLogin(string $inputPassword, string $storedHash): bool {
    return password_verify($inputPassword, $storedHash);
}

$isValid = verifyLogin('mySecretPassword', $hash);
var_dump($isValid); // bool(true)

Checking if a Hash Needs Rehashing

<?php

// When a user logs in successfully, check if their hash needs upgrading
$options = ['cost' => 12];

if (password_needs_rehash($storedHash, PASSWORD_BCRYPT, $options)) {
    // Rehash with the new options and update the database
    $newHash = password_hash($plainTextPassword, PASSWORD_BCRYPT, $options);
    // UPDATE users SET password = ? WHERE id = ?
}

Why Use password_hash() in PHP?

  • Automatic salt — PHP generates a cryptographically secure random salt automatically. You never pass a salt manually (and should not).
  • Future-proof — Using PASSWORD_DEFAULT instead of PASSWORD_BCRYPT means PHP will automatically upgrade to a stronger algorithm when the default changes in a future version.
  • Rehash supportpassword_needs_rehash() lets you upgrade hashes transparently at login time as you raise the cost factor.
  • No raw MD5 or SHA1 — PHP developers have historically used md5($password) for password storage — this is dangerously insecure. password_hash() is the correct replacement.

Argon2id in PHP (Modern Alternative)

<?php

// PHP 7.3+ supports Argon2id — more memory-hard than bcrypt
$hash = password_hash($password, PASSWORD_ARGON2ID, [
    'memory_cost' => 65536, // 64 MB
    'time_cost'   => 4,
    'threads'     => 1,
]);

// password_verify() works the same way for Argon2id

Argon2id is the current NIST recommendation for new systems. For PHP 7.2 and earlier, PASSWORD_BCRYPT with a cost of 12+ remains the correct choice.

Generate bcrypt hashes and test cost factors with the bcrypt Generator before writing your PHP code.