Season Your Passwords with some Salt (updated for 2025)

Revisiting Password Storage Best Practices in 2025

If you’re building a modern web app in 2025, one of the most critical components is securely storing user passwords. In the past, we explored various hashing techniques in PHP, but with evolving security threats, it’s essential to revisit and update our approach.

Outdated Methods and Why They Fall Short

In 2008, methods like MD5, SHA1, and even basic uses of the crypt() function were common for hashing passwords. However, these methods are now considered outdated due to significant vulnerabilities:

• MD5: Susceptible to collisions, where two different inputs produce the same hash.
• SHA1: Also vulnerable to collision attacks, making it insecure for password storage.
• DES-based crypt(): Prone to brute-force attacks and limited by weak encryption standards.

Modern Best Practices for Password Storage

In 2025, best practices for password storage focus on using algorithms specifically designed for secure password hashing. Here’s what you should be doing:

1. Use password_hash() and password_verify() in PHP

The password_hash() function provides a secure way to hash passwords using the Bcrypt, Argon2i, or Argon2id algorithms. These algorithms are designed to be slow and computationally expensive, making brute-force attacks more difficult.

Example Code:

$password = 'highedwebtech1';

// Hash the password using Bcrypt
$hashedPassword = password_hash($password, PASSWORD_DEFAULT);

// Store $hashedPassword in your database

When a user logs in, use password_verify() to compare the input password with the stored hash:

$inputPassword = 'highedwebtech1';

if (password_verify($inputPassword, $hashedPassword)) {
    echo 'Password is valid.';
} else {
    echo 'Invalid password.';
}

This approach takes care of hashing, salting, and future-proofing, as PHP automatically handles changes to the underlying algorithms.

2. Use Argon2 for Maximum Security

Argon2 is the winner of the 2015 Password Hashing Competition (PHC) and is widely regarded as the most secure password hashing algorithm today. It comes in three flavors: Argon2d, Argon2i, and Argon2id, with Argon2id being the best option for general use.

Example Code:

$password = 'highedwebtech1';
$hashedPassword = password_hash($password, PASSWORD_ARGON2ID);

3. Implement Rate Limiting and Multi-Factor Authentication

To further protect your authentication system:

• Implement rate limiting to slow down brute-force attacks.
• Use Multi-Factor Authentication (MFA) to add an additional layer of security.

4. Avoid Storing Passwords or Sensitive Data in Emails

Never send passwords over email. Instead:

1. Use a password reset link that expires after a short period.
2. Send a one-time password (OTP) for temporary access.

5. Keep Software and Libraries Updated

Regularly update your PHP version and any third-party libraries you use. Security vulnerabilities are discovered frequently, and staying up to date ensures you’re protected against known issues.

Summary

• Use password_hash() with Bcrypt or Argon2.
• Always validate passwords with password_verify().
• Avoid outdated algorithms like MD5 and SHA1.
• Implement rate limiting and MFA.
• Regularly update your software.

In 2025, password security remains a cornerstone of application security, and using modern best practices ensures your users’ data remains protected.

What are your thoughts on these best practices? Do you have additional tips for handling passwords securely?