Secure PHP Password Storage: From MD5+Salt to Bcrypt and Argon2

MD5 + Salt

Storing passwords with the MD5 hash plus a random salt is a common but weak practice; MD5 is vulnerable to collision and rainbow‑table attacks. 760f055685c0a8fe46e8b249e45a876a The salt adds uniqueness so that identical passwords produce different hashes. Although salting improves security, MD5’s inherent weaknesses make it unsuitable for high‑security scenarios. Stronger alternatives such as SHA‑256, bcrypt, scrypt, or Argon2 are recommended.

$password = 'resty123456';
$salt = '84b9b7254162b1dcb127289a3de5a873';
$password_hash = md5($password . $salt); // 760f055685c0a8fe46e8b249e45a876a

Bcrypt Features

Algorithm flexibility : supports bcrypt, Argon2i, and Argon2id. PHP 5.5 introduced bcrypt; PHP 7.2 added Argon2.

Built‑in salt : automatically generates a random salt for each password.

Cost factor : adjustable cost to increase computational difficulty.

Secure storage : the hash contains salt and algorithm information, eliminating separate salt storage.

Ease of use : simple API for generating and verifying hashes.

Compatibility : hashes can be migrated across PHP versions that support the algorithm.

Configurability : options array can set parameters such as cost.

Built‑in verification : password_verify checks a password against a stored hash.

Security : designed to resist rainbow‑table and brute‑force attacks.

Updatability : newer PHP releases may introduce more secure algorithms.

Official documentation: https://www.php.net/manual/zh/password.constants.php

Usage

Use password_hash and password_verify for secure password handling in PHP.

Example 1

Default algorithm (currently BCRYPT) produces a 60‑character hash.

/**
 * We want to hash a password with the default algorithm
 * Currently it is BCRYPT and will produce a 60‑character result.
 *
 * Note that the default algorithm may change over time,
 * so allocate more than 60 characters (255 is safe).
 */
echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT);

Typical output:

$2y$10$VVgBs.C9CSMbMKEuOjII9OaUWZWXK4VHmS0eIoN1V9JdkWaIOUsXy

Example 2

Manually set the cost option.

/**
 * In this case we increase the BCRYPT cost to 12.
 * The hash will still be 60 characters.
 */
$options = [
    'cost' => 12,
];
echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options);

Typical output:

$2y$12$QjSH496pcT5CEbzjD/vtVeH03tfHKFy36d4J0Ltp3lRtee9HDxY3K

Example 3

Benchmark to find an appropriate cost that stays under 350 ms.

/**
 * Benchmark the server to find the highest cost that stays under 350 ms.
 */
$timeTarget = 0.350; // 350 ms
$cost = 10;
do {
    $cost++;
    $start = microtime(true);
    password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]);
    $end = microtime(true);
} while (($end - $start) < $timeTarget);

echo "Appropriate Cost Found: " . $cost;

Typical output:

Appropriate Cost Found: 12

Example 4

Hash with Argon2i.

echo 'Argon2i hash: ' . password_hash('rasmuslerdorf', PASSWORD_ARGON2I);

Typical output:

Argon2i hash: $argon2i$v=19$m=1024,t=2,p=2$YzJBSzV4TUhkMzc3d3laeg$zqU/1IN0/AogfP4cmSJI1vc8lpXRW9/S0sYY2i2jHT0

Verification

Use password_verify to check a password against its hash.

// Default algorithm hash
$password_hash = password_hash("resty123456", PASSWORD_DEFAULT);

echo '[x] Password Hash ' . $password_hash . PHP_EOL;

// Verify password
if (password_verify('resty123456', $password_hash)) {
    echo '[x] Password is valid!';
} else {
    echo '[x] Invalid password.';
}

Typical output shows the generated hash followed by a validation message.

Summary

When password_hash is used, PHP automatically generates a unique salt and embeds it in the resulting hash, making storage secure. Combined with password_verify, this is the safest and recommended method for handling user passwords in PHP applications.