Password Hashes

The intended use for hashes is to detect minor changes to file content. The way a hash is created two almost identical files will create very different hashes. For this purpose both the source code and the hash of that code would be available and you would generate a fresh copy of the hash from the source code to compare to the supplied hash to confirm that the file was unaltered.

When hashes started being used to protect passwords, a new aspect to the security of the hash was introduced. The intended use for hashes meant that the original code was always supplied and so the issue of how easily a value could be found that would map to a given hash was irrelevant. This suddenly became very relevant for password hashes and MD4 and MD5 hashes that were perfectly practical for their intended purpose were soon found to be inadequate for this new purpose. What is known as a rainbow table was soon developed for MD5 hashes that lists one valid input value for each possible hash making finding a value that will work as a password for an MD5 hash as simple as a table lookup.

Various techniques for improving the security of password hashes were introduced. Adding what is known as a 'salt' to the password before hashing it means that these rainbow table lookups will only work where the values in the table use the same salt value. Another option is switching to a more secure hashing algorithm (in the sense that there are more valid hashes and so finding a starting value to match to every possible hash to create a rainbow table is more time consuming. These processes only delay the inevitable though as whatever hashing algorithm is used can potentially be broken in so far as password security is concerned (MD5 hashes are still perfectly suited for their original purpose though).

With version 5.5 PHP has introduced a new solution for generating and testing password hashes. This solution can even be used with PHP 5.3 if you install and include the password.php file that contains these functions yourself. This new set of password hash functions takes care of generating and storing a salt value for each hash within the hash value itself. It also caters for automatically upgrading to a more secure hashing mechanism whenever necessary.

To use this new password hashing in your PHP scripts simply include create and validate calls as follows:

$algorithm = PASSWORD_DEFAULT;
$options = array("cost" => 10);
// create password hash
$hash = password_hash($password, $algorithm, $options);
/* Store new hash in db */
// validate password hash
if (password_verify($password, $hash)) {
if (password_needs_rehash($hash, $algorithm, $options)) {
$hash = password_hash($password, $algorithm, $options);
/* Store new hash in db */
} else {
/* password invalid */


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow