Why password_verify is not working in PHP

When working with password hashing in PHP, developers often use the password_hash function to securely hash user passwords and the password_verify function to check if a provided password matches the hashed version stored in the database. However, there are cases where password_verify may not work as expected, leaving developers scratching their heads. In this article, we'll explore some common reasons why password_verify might fail to verify a password hashed with password_hash.

 

password_hash is a PHP function used to securely hash passwords. It takes the user's plaintext password and generates a cryptographically secure hash, which includes a randomly generated salt. Here's an example of how to use it:

 

php -r "echo password_hash('my_secure_password', PASSWORD_BCRYPT);"

 

The output will be:

 


$2y$10$.inx6abgkmIqeepsiNPb3Ox.kApj6m.KJILqi4Spt.m3tQA/AO6Kq

 

Password Verification with password_verify

 

To verify a user's login attempt, developers typically use the password_verify function. It checks if the provided plaintext password matches the hashed password stored in the database. Here's an example:

 

php -r "var_dump(password_verify('my_secure_password','$2y$10$.inx6abgkmIqeepsiNPb3Ox.kApj6m.KJILqi4Spt.m3tQA/AO6Kq'));"

 

 

If you run this in Git Bash command line, you will get the following failed message

 

bool(false)

 

But if you run it in Windows CMD, you will get the following result

bool(true)

 

 

So if you want to test this function, you cant just test it on GIT Bash command line, you have to use Windows command line