How to use password_hash() & password_verify() PHP: Part 1

In this tutorial, I will guide the reader, who has a basic knowledge of PHP, on how to use password_hash and password_verify functions, alongside a MySQL database and bootstrap form.
What is password_hash?
Available on PHP 5.5.x to PHP 7.x.x
password_hash() creates a new password hash using a strong one-way hashing algorithm.
e.g
<?php
/**
* We just want to hash our password using the current DEFAULT algorithm.
* This is presently BCRYPT, and will produce a 60 character result.
*
* Beware that DEFAULT may change over time, so you would want to prepare
* By allowing your storage to expand past 60 characters (255 would be good)
*/
echo password_hash(“rasmuslerdorf”, PASSWORD_DEFAULT);
?>

The above example will output something similar to:

$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a

What is password_verify?
Verifies that the given hash matches the given password.
e.g
<?php
// See the password_hash() example to see where this came from.
$hash = ‘$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq’;

if (password_verify(‘rasmuslerdorf’, $hash)) {
echo ‘Password is valid!’;
} else {
echo ‘Invalid password.’;
}
?>
Why is it important?
A strong password storage strategy is critical to mitigating data breaches that put the reputation of any organization in danger. Hashing is the foundation of secure password storage.
Storing passwords in cleartext is the equivalent of writing them down in a piece of digital paper. If an attacker was to break into the database and steal the passwords table, the attacker could then access each user account.
A more secure way to store a password is to transform it into data that cannot be converted back to the original password. This mechanism is known as hashing.
Limitations of Hash Functions
Like all things, hashing has limitations,not necessarily weakneses. Here are some:
1. Phising/brute force attacks
The attacker could then either steal the cleartext password from the user through modern phishing and spoofing techniques or try a brute force attack where the attacker inputs random passwords into the hash function until a matching hash is found.
2. Hash functions are deterministic
Which means,the same function input always results in the same hash.
if a couple of users were to use the same password, their hash would be identical. If a significant amount of people are mapped to the same hash that could be an indicator that the hash represents a commonly used password and allow the attacker to significantly narrow down the number of passwords to use to break in by brute force.
3. Rainbow table attack
An attacker can use a large database of precomputed hashes to find the input of stolen password hashes.
What is a salt?
In more simple terms, a salt is a bit of additional data which makes your hashes significantly more difficult to crack.
password_hash() will create a random salt if one isn’t provided, and this is generally the easiest and most secure approach.
Remember

“The trick is to ensure the effort to “break” the hashing exceeds the value that the perpetrators will gain by doing so. None of this is about being “unhackable”; it’s about making the difficulty of doing so not worth the effort.” — Troy Hunt

Mitigation/Salting
With a salt, the hash is not based on the value of the password alone. The input is made up of the password plus the salt.
POINTS TO NOTE
The MD5 algorithm and the SHA1 algorithm have been deemed unsafe to use and deprecated by Google due to the occurrence of cryptographic collisions.

Google recommends using stronger hashing algorithms such as SHA-256 and SHA-3. Other options commonly used in practice are bcrypt, scrypt, PBKDF2.

Code&Database Download Link:
https://github.com/DanielNgandu/SHA512-DEMO-LOGIN

Cited Sources:
https://www.php.net/manual/en/function.password-verify.php
https://www.php.net/manual/en/function.password-hash.php
https://auth0.com/blog/hashing-passwords-one-way-road-to-security/
https://php.net/manual/en/faq.passwords.php