Since PHP 7.x it is recommended to use the native password_hash() function (read more).
MD5 should be avoided since there are plenty of md5 dictionaries for helping to "crack" MD5 passwords like f.i. https://crackstation.net/.
Note: since password_hash() is native, therefore there are no dependencies with an external library.
The hash of {{ PWD }} gives {{ HASH }}
Sample PHP code:
// 1. For instance, retrieve the password from a protected file, outside the public folder
$hash = file_get_contents('../public/site/password.json');
// $hash now contain the resulting of password_hash("your_password", PASSWORD_DEFAULT)
// For instance $hash is equal to '{{ HASH }}'
// 2. Get the filled-in password, for instance, from a submitted form
$password = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_STRING);
// 3. And verify if the filled in password is the expected one
if (password_verify($password, $hash)) {
echo 'You can enter to this room, the password is correct.';
}
Store for instance the hash of this password in a database or any protected file (best outside your public folder) and don't use anymore your password in plain text but just verify the hash using password_verify().
Info: the hash will start with '$2y$' when the used algorithm is BCRYPT and with '$argon2i$' when Argon2i was used (which is much better).