Each step doubles the work. 10–12 is the common range; higher is slower but stronger.

PHP password_hash() output

About the PHP Password Hash Generator

What is a PHP password hash?

PHP's password_hash() function is the standard, recommended way to hash passwords in PHP. By default it uses bcrypt and produces a self-contained $2y$ string that includes the algorithm, cost and salt. This tool generates exactly that value, so you can create test hashes, seed a database, or check that your code produces the same result.

The matching function password_verify($password, $hash) checks a password against a stored hash, and this tool's Verify tab does the identical thing in your browser. Because password_hash() defaults to bcrypt, the output here is byte-for-byte compatible: a hash you generate can be verified by PHP, and a $2y$ hash from PHP verifies here. Nothing is ever uploaded.

The PHP code

This tool mirrors these two built-in PHP functions exactly:

<?php
// Hash a password (uses bcrypt by default)
$hash = password_hash($password, PASSWORD_DEFAULT);

// Later, check a submitted password against the stored hash
if (password_verify($submitted, $hash)) {
    // password is correct
}

How to Use This Tool

  1. Enter the password. Type or paste the password you want to hash.
  2. Adjust the settings. Set the cost factor; the hash recomputes automatically.
  3. Copy the result. One click copies the hash to your clipboard.
  4. Verify existing hashes. Switch to the Verify tab to check a password against a stored hash.

Common Use Cases

  • Seeding a database: generate a valid password_hash() value to insert as a test or admin user.
  • Verifying your code: confirm your PHP produces a hash that this tool (and password_verify) accepts.
  • Checking a stored hash: paste a $2y$ hash and a password into the Verify tab to test a login.
  • Learning the format: see how the cost and salt are embedded in the password_hash() output.

Frequently Asked Questions

What algorithm does password_hash() use by default?

By default, password_hash($password, PASSWORD_DEFAULT) uses bcrypt and produces a $2y$ hash. PASSWORD_DEFAULT may change to a stronger algorithm in future PHP versions, but existing bcrypt hashes keep working because password_verify() reads the algorithm from the hash itself. PHP can also use Argon2 via PASSWORD_ARGON2ID.

Is a hash from this tool compatible with password_verify()?

Yes. This tool generates a standard bcrypt $2y$ hash, exactly what password_hash() produces, so PHP's password_verify() accepts it. Likewise, a hash created by PHP verifies correctly on the Verify tab here. The two are byte-for-byte compatible.

What cost does password_hash() use?

The default bcrypt cost in PHP is 10. You can raise it with the cost option, for example password_hash($pw, PASSWORD_BCRYPT, ["cost" => 12]). This tool lets you set the cost with a slider so you can match your application's configuration.

Should I ever use md5() or sha1() for passwords in PHP?

No. md5() and sha1() are fast, unsalted hashes and are unsafe for passwords. Always use password_hash() and password_verify(), which apply bcrypt with a proper salt and cost. This is the single most important rule for password handling in PHP.

How do I store a password_hash() result?

Store the entire string in a column at least 60 characters wide (255 is a safe, future-proof choice, since Argon2 hashes are longer). The salt and cost are inside the string, so you do not store them separately. Never store the plain password.

Is my password sent to your server?

No. The hashing and verification run entirely in your browser with a vendored bcrypt library that produces the same output as PHP. Your password never leaves your device.