Zend Framework 2

Zend Framework 2 ships with the Zend\Crypt component, which can be used to generate secure password hashes.


To use it, first install Zend\Crypt via composer:

composer require "zendframework/zend-crypt:2.*"


Whenever you want to generate a new password, just create a new Bcrypt instance as following:

use Zend\Crypt\Password\Bcrypt;

require_once __DIR__ . '/vendor/autoload.php';

$bcrypt = new Bcrypt();

$secureHash = $bcrypt->create($clearTextPassword);

Verifying a password

Verifying a password is also done via the Bcrypt instance:

if ($bcrypt->verify($clearTextPassword, $secureHash)) {
    echo "Password matches!";
} else {
    echo "Password does NOT match!";

Authenticating a user against a database

Please note that you should always authenticate your users against a database by first fetching the identity by identifier or username, and only then verifying the user against the given password:

$user = $usersGateway->select(['username' => $inputUsername]);

if ($user && $bcrypt->verify($inputPassword, $user->getPasswordHash())) {
    // valid login, may store user identity into session here

Increasing hash strength

If you want to generate stronger hashes, you may increase the cost of your Bcrypt hash. The current default value is 10, but as computers get faster, slower hashes may be needed:

$bcrypt = new Bcrypt(['cost' => 16]);

$secureHash = $bcrypt->create($clearTextPassword);

Integration with Zend\Mvc

Authentication and security are hard: if you use the full-stack ZF2 framework, then you can just plug the ZfcUser module into your applications. Using ZfcUser instead of your own homebrew authentication system will give you the advantage of always having an the latest known security vulnerabilities fixed for you by experienced community members.