Hashing for db storage
When storing passwords it’s important to ensure they’re not stored in plain text – this goes without saying these days, but there are still some systems that do this. Some hashing options such as md5 are easy to use, but is not recommended for use in any systems these days. The reason for this is that computing power has significantly improved since md5 was first introduced in 1991, which means brute force attacks are likely to succeed with ease.
The stock options when using PHP, however, keeps the hashing fairly simple, with the code below showing how to hash a password string.
Using the bcrypt algorithm
<?php
echo password_hash("password123", PASSWORD_DEFAULT);
?>By default the password_hash function will use the bcrypt algorithm (PHP 5.5.0 onwards), however, other options are available.
Using the blowfish algorithym
<?php
echo password_hash("password123", PASSWORD_BCRYPT);
?>Despite what the above looks like, the PASSWORD_BCRYPT option uses the blowfish algorithm.
Official documentation for password_hash is here for further reading.