Password Security 🔑

Hash passwords with Argon2/bcrypt, implement strength validation, auto-rehash old hashes, and store credentials safely.

What You'll Learn in This Lesson

• Why MD5/SHA1 are dangerous for passwords
• Use password_hash() and password_verify() properly
• Configure Argon2id for maximum security
• Auto-rehash with password_needs_rehash()
• Build a password strength checker

Note: PHP runs on a server. Our examples simulate PHP logic using JavaScript. To run real PHP, install PHP.

🎯 Real-World Analogy: Hashing is like a meat grinder. You put a steak in (password) and get ground meat out (hash). You can't reverse ground meat back into a steak, but you CAN grind another steak and compare the output. Salting is like adding unique spices — even identical steaks produce different ground meat, so attackers can't use pre-computed tables.

Password Hashing Fundamentals

PHP's password_hash() and password_verify() are the only functions you should use for password storage. They handle salting, algorithm selection, and hash formatting automatically. Never use MD5, SHA1, or any fast hash for passwords.

Try It: Password Hashing

Hash passwords with bcrypt/Argon2 and verify them securely

Try it Yourself »

JavaScript

// Password Hashing: Why and How
console.log("=== Why Hashing Matters ===");
console.log();
console.log("If your database is breached, stored passwords are exposed.");
console.log("Hashing converts passwords into irreversible strings.");
console.log();

console.log("❌ NEVER DO THIS:");
console.log("  MD5:    " + "5f4dcc3b5aa765d61d8327deb882cf99" + "  (cracked in milliseconds)");
console.log("  SHA1:   " + "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" + "  (rainbow tables exist)");
console.log("  P
...

Argon2 & Password Policies

Argon2id is the gold standard — it resists both CPU and GPU attacks by requiring significant memory. Combined with password_needs_rehash(), you can transparently upgrade old bcrypt hashes to Argon2 when users log in. Always pair strong hashing with password strength validation.

Try It: Argon2 & Strength Checker

Configure Argon2id, auto-rehash old hashes, and validate password strength

Try it Yourself »

JavaScript

// Argon2 & Advanced Password Policies
console.log("=== Argon2 vs Bcrypt ===");
console.log();
console.log("Bcrypt (PASSWORD_DEFAULT):");
console.log("  • CPU-intensive only");
console.log("  • 72-byte password limit");
console.log("  • Well-tested, widely supported");
console.log();
console.log("Argon2id (PASSWORD_ARGON2ID) — RECOMMENDED:");
console.log("  • CPU + Memory intensive (resists GPU attacks)");
console.log("  • No password length limit");
console.log("  • Winner of the Password Hashi
...

⚠️ Common Mistakes

⚠️

Limiting password length — never cap passwords at 16 or 20 characters. Bcrypt has a 72-byte limit, but Argon2 has none. Long passphrases are the most secure option.

⚠️

Different error messages for wrong email vs wrong password — this tells attackers which emails exist. Always use: "Invalid email or password."

💡

Pro Tip: Check passwords against the HaveIBeenPwned API (k-anonymity model) to reject passwords that appeared in data breaches — without sending the password to the API.

📋 Quick Reference — Password Security

Function	Purpose
password_hash($pw, PASSWORD_ARGON2ID)	Hash a password (with auto-salt)
password_verify($input, $hash)	Check if input matches stored hash
password_needs_rehash($hash, algo)	Check if hash uses outdated algorithm
PASSWORD_DEFAULT	Bcrypt (safe, widely supported)
PASSWORD_ARGON2ID	Argon2id (best, memory-hard)

🎉 Lesson Complete!

Your passwords are now bulletproof! Next, explore advanced session management with Redis and stateless tokens.