Generate bcrypt, Argon2i, and Argon2id hashes fully compatible with PHP's password_hash() and password_verify().Powered by real cryptographic libraries (bcryptjs and hash-wasm/WebAssembly) — all processing stays in your browser.
password_hash() and Why It Matters
PHP's password_hash() is the gold‑standard API for secure password storage in PHP applications. It abstracts away the complexities of salting, hashing, and algorithm selection, producing cryptographically strong hashes that resist brute‑force, rainbow table, and dictionary attacks. Since its introduction in PHP 5.5, it has become the de facto solution for authentication systems worldwide.
Key principle: A password hash is a one‑way transformation — you can generate a hash from a password, but you cannot reverse the hash to obtain the original password. Verification works by hashing the submitted password (with the same salt and parameters) and comparing the result to the stored hash.
| Algorithm | Identifier | PHP Version | Key Features | Recommendation |
|---|---|---|---|---|
| bcrypt |
PASSWORD_BCRYPT
|
5.5+ | Blowfish‑based, cost‑adjustable, 72‑char limit, widely supported | Good legacy choice |
| Argon2i |
PASSWORD_ARGON2I
|
7.2+ | Data‑dependent memory‑hard, resistant to GPU/ASIC attacks | Good for memory‑constrained environments |
| Argon2id |
PASSWORD_ARGON2ID
|
7.3+ | Hybrid of Argon2i + Argon2d, best resistance to side‑channel and GPU attacks | Recommended |
| PASSWORD_DEFAULT | — | 5.5+ | Alias to strongest available algorithm (currently bcrypt, future Argon2) | Safe for forward‑compatibility |
Important: Never store passwords in plain text. Always use a cryptographically secure hashing algorithm with a unique salt per password. PHP's password_hash() automatically generates a secure random salt for each hash.
This tool is a full client‑side implementation of PHP's password hashing algorithms, using battle‑tested libraries:
All hashes are formatted identically to PHP's output and can be verified with password_verify() without any modification.
password_verify().
A logarithmic factor that determines the number of hashing rounds: 2cost. Higher cost = slower hashing = harder to brute‑force. Recommended range: 10–12 for general use, 14+ for high‑security environments.
Time cost controls iterations; memory cost controls memory usage (in KB). Higher values increase resistance to GPU/ASIC attacks. Defaults: time=2, memory=65536 KB (64 MB).
This tool includes a real‑time password strength meter based on entropy estimation and pattern analysis. It evaluates:
The estimated crack time is calculated using the zxcvbn algorithm (a battle‑tested password strength estimator by Dropbox), giving you a practical sense of how resistant your password is to modern attacks.
Pro tip: A password with 80+ bits of entropy (e.g., "CorrectHorseBatteryStaple!") is considered secure against all realistic brute‑force attacks. Use passphrases of 4+ random words for optimal security and memorability.
Once you generate a hash with this tool, you can use it in your PHP application like this:
password_hash() and verify with password_verify().
password_hash() under the hood. Any hash generated by this tool is compatible with Hash::check() in Laravel and PasswordEncoderInterface in Symfony, as long as you use the same algorithm and parameters.
password_hash() to ensure full control over the environment and to avoid any potential client‑side vulnerabilities. This tool is best used as an educational resource and for quick prototyping.
password_hash() automatically generates a cryptographically secure random salt for each hash, and the salt is stored within the hash itself for verification.