Why This Happens
password_hash() can return false if the algorithm is invalid. More commonly, password_verify() fails because the hash was truncated by a too-short database column (VARCHAR(60) is too short for some algorithms), or the hash was modified by string operations like trim or strtolower before storing.
The Problem
// Database column is VARCHAR(60) - too short!
$hash = password_hash($password, PASSWORD_DEFAULT);
$stmt->execute(['hash' => $hash]); // Hash gets truncated
// Later:
password_verify($password, $storedHash); // Always falseThe Fix
// Use VARCHAR(255) for the password column
// ALTER TABLE users MODIFY password_hash VARCHAR(255);
$hash = password_hash($password, PASSWORD_DEFAULT);
if ($hash === false) {
throw new RuntimeException('Password hashing failed');
}
$stmt->execute(['hash' => $hash]);
// Verify:
if (password_verify($password, $storedHash)) {
echo 'Password correct';
}Step-by-Step Fix
- 1
Check the database column size
Ensure the password hash column is VARCHAR(255). Bcrypt hashes are 60 characters, but newer algorithms like Argon2 can be longer.
- 2
Verify the hash is not modified
Ensure you are not applying trim(), strtolower(), or any string transformation to the hash before storing or after retrieving it.
- 3
Handle hash failures
Always check if password_hash() returns false and handle the error. Check that the algorithm constant is valid.
Bugsly catches this automatically
Bugsly's AI analyzes this error pattern in real-time, explains what went wrong in plain English, and suggests the exact fix — before your users even report it.
Try Bugsly free