Password Encryption Methods in PHP: md5, password_hash, and crypt

In website development, user registration and login functions are very common requirements. To protect user account security, we usually need to encrypt passwords for storage to prevent risks caused by password leaks. PHP provides many functions for password encryption and decryption; this article introduces several common methods with code examples.

1. Using md5 function to encrypt:

The simplest password encryption method is using the md5 function, which converts any length string into a 32‑character hash. Below is a simple user registration example:

<?php
// 用户注册
$username = $_POST['username'];
$password = $_POST['password'];

// 对密码进行加密
$encrypted_password = md5($password);

// 将加密后的密码存储到数据库中
// ...
?>

In the above code, we use md5 to encrypt the password and store the encrypted password in the database. During login, the input password is encrypted with md5 and compared with the stored hash to verify the user.

However, the md5 algorithm has security issues; it is a one‑way hash, not reversible, and has been shown to be vulnerable to collisions and brute‑force attacks. Therefore, stronger algorithms should be used.

2. Using password_hash function to encrypt:

PHP 5.5+ introduced the password_hash function, which uses the BCrypt algorithm, automatically generates and stores a salt, providing a more secure way to store passwords. Below is an example of using password_hash for encryption and verification:

<?php
// 用户注册
$username = $_POST['username'];
$password = $_POST['password'];

// 对密码进行加密
$encrypted_password = password_hash($password, PASSWORD_DEFAULT);

// 将加密后的密码存储到数据库中
// ...
?>

<?php
// 用户登录
$username = $_POST['username'];
$password = $_POST['password'];

// 从数据库中取出加密的密码
$encrypted_password = "从数据库中取出的加密密码";

// 对用户输入的密码进行验证
if (password_verify($password, $encrypted_password)) {
    // 登录成功
    // ...
} else {
    // 密码错误
    // ...
}
?>

In this code, password_hash encrypts the password with a random salt stored together. During login, password_verify retrieves the stored hash and verifies the input password; successful verification logs the user in.

3. Using crypt function to encrypt:

The crypt function is another common PHP password encryption function; it uses the UNIX crypt library. Below is an example of using crypt for password encryption and verification:

<?php
// 用户注册
$username = $_POST['username'];
$password = $_POST['password'];

// 使用salt生成加密的密码
$salt = mcrypt_create_iv(22, MCRYPT_DEV_URANDOM);
$encrypted_password = crypt($password, '$2y$10$' . $salt);

// 将加密后的密码存储到数据库中
// ...
?>

<?php
// 用户登录
$username = $_POST['username'];
$password = $_POST['password'];

// 从数据库中取出加密的密码
$encrypted_password = "从数据库中取出的加密密码";

// 对用户输入的密码进行验证
if (crypt($password, $encrypted_password) === $encrypted_password) {
    // 登录成功
    // ...
} else {
    // 密码错误
    // ...
}
?>

Here we generate a salt with mcrypt_create_iv, combine it with the password using crypt, and store the result. During login, crypt is used again to compare the input password with the stored hash; a match indicates successful login.

Summary

Encrypting passwords for user registration and login is an essential security measure. This article presented three common encryption methods— md5, password_hash, and crypt —along with code examples. In practice, stronger algorithms and proper salts should be used to enhance security.