PHP Argon2 Password Hashing

Writer #1,

Password Hashing Overview

In the world of web development and password storage, an ongoing debate lingers on, and probably will forever.

The currently accepted “best practice” for hashing passwords is called Argon2 (wikipedia link to argon2). To give a brief overview of what it is, it takes any string (like your password) and converts it to a random-looking string which is non-reversible, which means you cannot convert it back. This makes it a one-way hash. The only way to arrive at this hash is to convert it again. So, as a developer, you save the hash value in your database, not the actual password, so if your database gets stolen the thief will not have any usable passwords.

When the user wants to log in, they provide their actual password, which only they know, and then you run it through the password hash function and it returns a hash value, which you compare to what you have stored in your database. If those match then the user must have entered the right password and you give them access.

A hashed argon2 string will look something like this:

$argon2id$v=19$m=65536,t=4,p=1$VkxKNjNLenptZjU4OrJ5MQ$1FVGeYmHSjT2dXM2+cJIb9NX6mq/iYlNQ3j1/UZrSAg

That is what you would store in your database; not the actual password.

PHP Example of Argon2

Argon2 is more complicated than other hashing algorithms in that it doesn’t generate the same hash twice, but somehow it knows if any particular hash came from the password provided. I’m not a hashologist or anything so I won’t pretend to know how it works. I’m just trusting that the PHP community is telling me the truth that this is the most secure way to do it.

PHP uses the built-in functions called password_hash()and password_verify().

$hashed_password = password_hash('d@ng-1'm-s3CUre', PASSWORD_ARGON2ID);

// optional echo, for demonstration purposed only:
echo $hashed_password;

That will return something like this:

$argon2id$v=19$m=65536,t=4,p=1$VkxKNjNLenptZjU4OVJ5MQ$1fVGEYmHSjT6dXM2+cJIb9NX6mq/iYlNQ3j1/UZrSAg
So you would save that in your database in the password field.
Then, when a user tries to log in, you would compare the password given to that hash.
$input_password = 'd@ng-1'm-s3CUre';

$hashed_password = '$argon2id$v=19$m=65536,t=4,p=1$VkxKNjNLenptZjU4OVJ5MQ$1fVGEYmHSjT6dXM2+cJIb9NX6mq/iYlNQ3j1/UZrSAg';
if (password_verify($input_password, $hashed_password)) {
    echo "true";
} else {
    echo "false";
}
Of course, your true and false actions would not actually be echoing the word “true” or “false”. You would instead add some actions that set this user’s session to an authenticated session.
PHP

Leave a Reply

Your email address will not be published. Required fields are marked *