PHP Developers Network

I'm wondering which method of password hashing is best for modern apps/sites? is hashing sha256 secure enough or the latter of using password verify. In all my newest projects I want to make sure I code them more securely. Thanks.

$password = hash('sha256', $pass);

OR

$hash = password_hash($password, PASSWORD_DEFAULT);

if (password_verify($user_password, $hash)) {
// Login successful.
if (password_needs_rehash($hash, PASSWORD_DEFAULT)) {
// Recalculate a new password_hash() and overwrite the one we stored previously
}
}

No. No no no no no.


Definitely that.

i value your input! Thank you! In addition to that, what are your thoughts on using hash, plus salt and sha512?

Since PHP added those password_* functions there is no reason to do password hashing on your own. You can learn about algorithms and such for fun, but unless you become fluent in advanced mathematics and have mastered the field of cryptography, let password_hash do it for you.

thanks! i'll use password_hash from now on