bcrypt
password_hash / password_verify
Hash and verify passwords with bcrypt. Equivalent to PHP password_hash/password_verify.
How to Use
Overview
A tool for hashing strings with bcrypt or checking hash strings.
One common use case for hashing is "storing passwords".
As a fundamental principle, you cannot reverse a hash string back to the original data (one-way).
It is not possible to derive the original password string from its bcrypt hash.
Therefore, passwords are not stored as-is — instead, the hash string is typically stored.
The same password string will always produce the same hash string.
This means you can verify a string by comparing it with a known hash.
(For example, to check whether a hash was generated from a given password)
Hashing (password_hash)
bcrypt hashing is performed with code like the following.$hash = password_hash('string_to_hash', PASSWORD_BCRYPT, [
'cost' => 'cost',
]);Hash strings generated by bcrypt include a salt (random string), so a different string is produced each time.
$2y$10$Z0kGQ04hCto9dnMu.GyzWOWNQmoKyeF5PXH.zsrf/I.yNJRcbdN86The default cost for the password_hash function is 10.
While password_hash itself accepts a range of 4–31, this tool limits it to 4–15 to avoid excessive server load.
(Higher values can take a very long time to process.)
Hash verification (password_verify)
bcrypt hash strings follow a specific format that includes the salt and stretching count, making it possible to verify whether a hash was generated from a given string.
bcrypt hash verification is performed with code like the following.$result = password_verify('original_string', 'hash_string_to_verify');