The php Function Password_Hash and Password_Verify
Password hashing is a critical part of securing an application from attackers who may be able to crack passwords through rainbow tables or dictionary attacks. Fortunately, the php function password_hash makes it easy to hash a user's password and store the result in a secure manner.
The password_hash function accepts two arguments: a string value that will be hashed and an algorithm to use. The default is bcrypt, but you can also choose a different algo by specifying the option PASSWORD_BCRYPT, PASSWORD_ARGON2I, or PASSWORD_ARGON2ID.
Once the hash is created, it's stored in a secure database. Then, when a user authenticates, you can verify that the submitted password matches the stored hash. This prevents a breach from gaining access to the users' real password and is much safer than simply comparing the string values using the equals sign, which could be subject to timing attacks.
The php function password_verify takes the plain-text password as the first argument and the hash that was stored in the database as the second. The function uses information about the hashing algorithm and cost factors that was used to create the hash to compare it with the passed password. It returns a boolean value, indicating whether the passwords match or not. Since this function uses constant time, it is safe against timing attacks. The resulting boolean can then be used to determine the correct action to take, such as displaying a login failure message or redirecting the user to an error page.