How do you use bcrypt for hashing passwords in PHP?

When it comes to storing passwords securely in PHP, one of the recommended methods is to use bcrypt. In this article, we will explore what bcrypt is, how it works, and how you can use it for hashing passwords in PHP.

What is bcrypt?

Bcrypt is a password hashing function based on the Blowfish cipher. It is designed to be a slow and computationally expensive algorithm, making it ideal for securely hashing passwords.

Unlike basic encryption algorithms like AES or DES, bcrypt is an adaptive hashing algorithm, meaning that it can be adjusted to become slower and more resistant to brute-force attacks over time.

Why use bcrypt for hashing passwords?

Using bcrypt for hashing passwords offers several advantages:

  • Security: Bcrypt hashes are resistant to brute-force attacks and rainbow table attacks.
  • Salting: Bcrypt automatically generates a random salt for each password, making it even more secure against attacks.
  • Adaptability: Bcrypt can be adjusted to become slower and more secure as hardware and computing power improve.

How does bcrypt work?

Bcrypt works by taking a password and running it through a series of iterations of the Blowfish cipher. Each iteration includes a randomly generated salt, which is stored alongside the hash.

Here is a step-by-step breakdown of how bcrypt works:

  1. The password is combined with the salt.
  2. The combined string is hashed using the Blowfish cipher.
  3. The resulting hash is stored in the database alongside the salt.

When verifying a user's password, the stored hash and salt are retrieved from the database. The input password is then combined with the stored salt and hashed using the same number of iterations. If the generated hash matches the stored hash, the password is considered valid.

How to use bcrypt in PHP

Although PHP doesn't natively provide a bcrypt function, you can use the password_hash function introduced in PHP 5.5, which supports bcrypt as one of the hashing algorithms.

Here is an example of how to use bcrypt for hashing passwords in PHP:

            // Generate a random salt
            $salt = random_bytes(16);

            // Hash the password using bcrypt
            $hashedPassword = password_hash($password, PASSWORD_BCRYPT, ['salt' => $salt]);

            // Save the hashed password and salt in the database
            saveToDatabase($hashedPassword, $salt);

In the above code snippet, the random_bytes function is used to generate a random salt. The salt is then passed as an option to the password_hash function along with the password to be hashed.

To verify a password, you can use the password_verify function:

            // Retrieve the hashed password and salt from the database
            $storedHash = getHashFromDatabase();
            $salt = getSaltFromDatabase();

            // Verify the password
            $isValid = password_verify($password, $storedHash);

In the code snippet above, the stored hash and salt are retrieved from the database. The password_verify function is then used to compare the input password with the stored hash. If they match, the password is considered valid.


Bcrypt is a powerful and secure hashing algorithm that is widely used for storing passwords in PHP. Its slow and computationally expensive nature makes it resistant to brute-force and rainbow table attacks. By using functions like password_hash and password_verify, you can easily implement bcrypt in your PHP applications and ensure the security of your users' passwords.