Cybersecurity
Updated 21 days ago | GitHub

Password Authentication

Password authentication is the most popular type of online user authentication.

The most secure way to perform password authentication is by hashing passwords using a one-way Cryptographic Hash Algorithm (specifically, a password-hashing algorithm such as Argon2id or bcrypt). Hashing is not encryption — it is a one-way function, so the stored hash cannot be reversed back to the original password.

The authentication process can be described in five steps.

  1. Hash the user’s preferred password.
  2. Store the hash with the user’s record in the database.
  3. User submits their username and password from a login page.
  4. Hash the attempted password.
  5. Verify the new hash is the same as the stored hash.

It is not possible to recover the stored password from the hash because the hash function is one-way; verification works because the same input always produces the same output.

Password Authentication in PHP

PHP simplifies password authentication with the functions password_hash() and password_verify() (available since PHP 5.5; PHP 7.3+ is required for PASSWORD_ARGON2ID). These functions incorporate best practices for password hashing — they select a strong algorithm, generate a random salt, and embed it in the hash automatically. The preferred algorithm is PASSWORD_ARGON2ID; PASSWORD_DEFAULT uses PHP’s current default algorithm (bcrypt as of this writing) and may change in future PHP versions.

<?php
  // Hashing (Argon2id recommended; requires PHP 7.3+ with Argon2 support)
  $hashed_password = password_hash($password, PASSWORD_ARGON2ID);

  // Verification example
  $is_match = password_verify($attempted_password, $hashed_password);
?>