Using a hashing algorithm to validate a password

Padlock Icon

Security on your website is a critical detail to pay close attention to.  This post will help you use a hashing algorithm to store and validate user authentication details, such as passwords.

If you have a site that stores user authentication data, you will want to use a hashing algorithm to store and validate the password for your users.  In this scenario you should never store the password as a clear text value in your data store.

This goes for member variables of the user object as well.  You should never store the actual value of the users password in a user object.

In other words… don’t ever do this…

$user->password = $value;

Instead take advantage of a hashing routine to both store and validate a users password.

Let’s look at an example using the SHA hashing algorithm.  As an overview, when the user is created or changes their password, we need to generate a hash for that password and save it.  Then as the second step, when the user logs in, we need to create a new hash and validate if it equals the saved one.  This approach will not compromise the users credentials should there every be unauthorized prying eyes looking in.

First step: A routine to create a Hash Token for a passed payload of data (such as a password)

 * Generates a hash for a string based on a secret and a timestamp
 * @param string $payload The value to generate a hash for
 * @param string $secret A shared secret
 * @return string The sha256 of $payload . $secret
 public static function getHashToken($payload, $secret) {
   $str = hash_hmac('sha256', $payload . $timestamp, $secret);
   return $str;

In this routine, a user passes in their password as the payload variable.  A secret key is then passed in.  This key can be global across the entire app or unique per user.  If you keep it global across the app then you can easily invalidate all passwords if you ever need to by simply changing the global secret.

For convenience we are using the hash_hmac php function to build our hash.  In this function we pass in the string value of the hashing algorithm that we want to use.  NOTE: If you change hashing algorithms, you will invalidate all saved/stored hashes.

The return from this function is a hashed string representing your data payload.

Second step: A a routine to validate a challenge payload against a saved hash.

 * Checks a hash for validity
 * @param string $payload The value that was used as the payload when the hash was generated
 * @param string $secret The shared secret that was used to generate the hash
 * @param string $hash The hash that was provided to you
 * @return bool True if the hash is valid, false otherwise
 public static function checkHashToken($payload, $secret, $hash) {
   $challenge = self::getHashToken($payload, $secret);
   if($challenge === $hash){
     return true;
   return false;

In this routine, a user passes in their password challenge attempt as the payload variable.  The application’s designated secret is passed in as well.  In addition a third parameter is passed in which is the saved hash that was retrieved and stored earlier.  The routine make a new hash using the challenge payload and then compares it against the hash that was saved.



Posted in , and tagged , , .