PHP Password Verifier

Verify passwords against PHP password_hash() compatible hashes (BCRYPT, ARGON2I, ARGON2ID).

Tools
PHP Password Verifier
Add to Favorites Remove from Favorites Share on Facebook Share on X
Verify Password

About the PHP Password Verifier

This tool allows you to check if a given plaintext password matches an existing hash generated by PHP's password_hash() function. It supports BCRYPT, ARGON2I, and ARGON2ID hash formats.

Important Note: This tool performs verification client-side using JavaScript implementations of the hashing algorithms. It's intended for educational purposes, testing hash compatibility, or quick checks during development. For actual user authentication in applications, password verification must always occur on the server-side.

How It Works

  • Enter the plaintext password you want to check in the "Password" field.
  • Paste the full PHP-generated hash string (e.g., starting with 'y$, $argon2i$, or $argon2id$) into the "PHP Hash" field.
  • Click the "Verify Password" button.
  • The tool will attempt to determine the algorithm and parameters from the hash string and then compare the password against the hash.
  • The result ("Password matches!" or "Password does NOT match.") will be displayed.

The verification process can be slow, especially for Argon2 hashes or bcrypt hashes with high cost factors, as these algorithms are designed to be computationally intensive.

Frequently Asked Questions

How does this tool know which algorithm to use?

PHP password hashes are self-contained. The hash string itself includes an identifier for the algorithm used (e.g., 'y$ for BCRYPT, $argon2i$ for ARGON2I) and any necessary parameters like cost factor and salt. This tool parses these details from the provided hash.

Why is verification sometimes slow?

Password hashing algorithms like BCRYPT and Argon2 are intentionally designed to be slow and resource-intensive. This makes it significantly harder for attackers to brute-force passwords even if they obtain a database of hashes. The same computational work needs to be done during verification.

Is it safe to paste my password and hash here?

All operations, including the password comparison, are performed entirely within your web browser using JavaScript. Your password and hash are never transmitted to our servers, ensuring your data remains private to your session.

Can this tool tell me the original password from a hash?

No. Modern password hashing algorithms like BCRYPT and Argon2 are one-way functions. It is computationally infeasible to reverse the hash to obtain the original plaintext password. This tool only checks if a given plaintext password produces the same hash.

Tools