PHP Security

What are PHP Salts and Hashes?

Published on: October 9, 2020

What are PHP Salts and Hashes?

By applying a hashing algorithm to your user’s passwords before storing them in your database, you make it impossible for an attacker to determine the original password, while still being able to compare the resulting hash to the original password in the future. A cryptographic salt is a data that is applied during the hashing process in order to eliminate the possibility of the output being looked up in a list of pre-calculated pairs of hashes and their input. Essentially, PHP salts and hashes are cryptographic tools that help secure your site’s login

Related Guide – Comprehensive guide on PHP Security

Why You Should Hash Passwords

Password hashing is one of the most basic security practices that must be followed when you plan to accept passwords. Without hashing, any passwords stored in your database can be stolen if the database is compromised, and then they can immediately be used to compromise not only your application but also the accounts of your users on other services if they use the same password elsewhere. 

However, it is still important to secure your website in other ways, as hashing only protects passwords from being compromised in your database, but does not necessarily protect them from being intercepted by malware or hackers. 

Related Guide – PHP Security Issues

How You Should Hash Passwords

It is advisable to use either of the following two methods to hash your passwords:

  1. The native password hashing API provided by PHP 5.5 or the pure PHP compatibility library available for PHP 5.3.7 and later. The native password hashing API available in PHP 5.5 safely handles both hashing and verifying passwords securely. 
  2. Using the crypt() function, as it supports several hashing algorithms in PHP 5.3 and later. It is suggested to use the Blowfish algorithm – which is the default option – as opposed to common hashing functions. This is because common hashing functions such as md5() and sha1() are very easy to brute-force and will not hold up well. It is, therefore, advised to use hashing functions that are very difficult to reverse, like the options given above, so that the original password is harder to determine. 

Note: It is strongly recommended that you use the native password hashing API with the crypt() function in order to prevent timing attacks automatically. 

How You Should Make And Store Salts

In the most basic terms, a salt is a bit of random data added to the end of a password to make your hash function difficult to reverse, thus protecting the password. While there are a lot of salt generators available online, you can use password_hash() to create a random salt – this is the easiest approach. 

The return value of your chosen hashing method includes the salt as part of the generated hash. This is the value you should store in your database, as it includes information about the hash function that was used and can then be used to match passwords and authenticate login attempts. 

Related Guide – PHP Hack & Malware Removal Guide

Conclusion: PHP Salts and Hashes

An encrypted password is more difficult to hack than one that’s not, and by hashing passwords in your PHP site, you make it harder for a hacker to attack you. Cyber attacks are horrible, and so are their after-effects on your traffic, revenue, and even your reputation. So, to prevent getting attacked, it is advisable to invest in security and follow good security practices like using PHP salts and hashes – a little bit on your part can go a long way!

About Astra

At Astra, we have a team of security experts who on a daily basis help website owners and developers to secure their website from attackers. Our intelligent firewall provides real-time 24×7 security against bad bots, hackers, malware, XSS, SQLi, and 80+ attacks. Astra Firewall is highly tailored for PHP-based websites and CMS such as WordPress, PrestaShop, OpenCart & Magento to give all-around security to your website.


Sreenidhi is a tech enthusiast who enjoys writing about cybersecurity and data science. Her areas of interest include WordPress security, new malware, and recent cybersecurity news.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany