You should actually use password_hash() and password_verify() for passwords instead of hash_equals(), if the database with passwords already exists and you cannot change them directly, you can setup a way to automatically upgrade the users to password_hash the next time they log in