About the PHP Password Verifier

What is password verification?

This tool does exactly what PHP's password_verify($password, $hash) does: it checks whether a password matches a stored hash. Paste the hash and the password, and it tells you instantly whether they match. It automatically detects the algorithm from the hash, supporting bcrypt ($2y$, $2a$, $2b$) and Argon2 ($argon2id$ and friends), the two formats password_hash() produces.

Verification never involves "decrypting" the hash, because password hashes are one-way. Instead, the tool reads the salt and cost embedded in the hash, recomputes the hash of the password you entered, and compares. This is the same process every login performs. Everything runs in your browser, so the password and hash you test are never uploaded.

How to Use This Tool

  1. Enter the password. Paste the stored hash, then type the password you want to check against it.
  2. Read the result. The tool detects the algorithm and shows instantly whether the password matches.
  3. Test as many as you like. Everything runs locally, so you can check hashes freely.

Common Use Cases

  • Debugging logins: confirm that a specific password really does match a stored hash.
  • Testing a migration: check that hashes imported from another system still verify correctly.
  • Confirming a reset: verify that a newly generated hash matches the password you expect.
  • Understanding the format: see which algorithm a hash uses from its detected prefix.

Frequently Asked Questions

How does password_verify() work?

It reads the algorithm, cost and salt embedded in the stored hash, hashes the supplied password with those same parameters, and compares the two using a timing-safe check. If they are identical, the password is correct. This tool performs the same steps in your browser.

Which hash types can this verify?

It verifies bcrypt hashes ($2y$, $2a$, $2b$) and Argon2 hashes ($argon2id$, $argon2i$, $argon2d$), which are the formats PHP's password_hash() produces. The algorithm is detected automatically from the hash prefix, shown below the hash field.

Can you recover the password from a hash?

No, and neither can PHP. Password hashes are one-way by design. Verification does not reverse the hash; it re-hashes the candidate password and checks for a match. The only way to find an unknown password is to guess, which a good password hash makes deliberately slow.

Why does verification take a moment?

Bcrypt and Argon2 are intentionally slow, which is what makes them good for passwords. Verifying runs the same expensive computation as creating the hash, so a brief pause is expected and is a sign the hash is doing its job.

Does a $2a$ hash verify against a $2y$ password?

Yes. The $2a$, $2b$ and $2y$ prefixes are interchangeable versions of bcrypt, so a password verifies regardless of which prefix the stored hash uses. This is why hashes move cleanly between PHP, Node and other libraries.

Is the password I test kept private?

Yes. Verification runs entirely in your browser using vendored bcrypt and Argon2 libraries. The hash and password you enter are never sent to our servers.