A summary of the solution for password encryption in PHP

Many users multiple sites use a password, when a password is lost other also suffer, this article introduces the password encryption in PHP solution Summary, the need for friends to understand.

The emergence of similar events will have a huge impact on users, because people tend to use the same password on different websites, a "Bauku", all suffer

A general solution.

1, the plaintext password to do one-way hash

$password = MD5 ($_post["password"]);

2, password +salt after doing one-way hash,php built-in hash () function, you just need to pass the encryption method to the hash () function just fine. You can directly indicate SHA256, SHA512, MD5, SHA1 and other encryption methods.

<?php function Generatehashwithsalt ($password) {$intermediateSalt = MD5 (Uniqid (rand (), true)); $salt = substr ($ Intermediatesalt, 0, 6); Return hash ("sha256", $password. $salt);}? >

A one-way hashing algorithm has an attribute that cannot restore raw data through a Hashed Digest (Digest), and common one-way hashing algorithms include SHA-256,SHA-1,MD5. For example, the Digest (Digest) after the SHA-256 hash of the password "Passwordhunter" is as follows:
"Bbed833d2c7805c4bf039b140bec7e7452125a04efa9e0b296395a9b95c2d44c"

Note: An attacker could make a one-way hash of a common combination of all passwords, get a summary combination, and then match the digest in the database to get the corresponding password. This summary combination is also known as Rainbow table. Worse, an attacker could match all of the password databases by creating the rainbow table above. Still equal to a "Bauku", all suffer

A better solution

Bcrypt

<?phpfunction Generatehash ($password) {if (Defined ("Crypt_blowfish") && crypt_blowfish) {  $salt = ' $2y$ 11$ '. SUBSTR (MD5 (Uniqid (rand (), true)), 0, ();  Return crypt ($password, $salt); }}?>

Bcrypt is actually a combination of Blowfish and crypt () functions, where we can determine if Blowfish is available by crypt_blowfish, and then generate a salt value as above, but it is important to note that crypt () The salt value must start with 2A2A or 2y2y, details can refer to the following link:

http://www.php.net/security/crypt_blowfish.php

http://php.net/manual/en/function.crypt.php

Password Hashing API

Password Hashing API is a new feature after PHP 5.5, it mainly provides the following functions for us to use

Password_hash () – Encrypt the password.
Password_verify () – verifies that a password has been encrypted to verify that its hash string is consistent.
Password_needs_rehash () – Re-encrypt the password.
Password_get_info () – Returns the name of the cryptographic algorithm and some related information.

Although the crypt () function is enough to use, but Password_hash () not only makes our code shorter, but also gives us a better guarantee in terms of security, so now the official PHP is recommended this way to encrypt the user's password, Many popular frameworks, such as Laravel, are used in this way.

<?php$hash = Password_hash ($passwod, password_default);? >

Password_default is currently using Bcrypt, the best or PASSWORD Hashing API. It is important to note that if your code is using Password_default encryption, then in the database table, the password field must be set more than 60 characters in length, you can also use Password_bcrypt, this time, After encryption, the string is always 60 characters long.

Here Password_hash () you can completely not provide salt and consumption value (cost), you can understand the latter as a performance of the consumption value, the greater the cost, the more complex the encryption algorithm, the more memory consumed. Of course, if you need to specify the corresponding salt value and consumption value, you can write

<?phpfunction Custom_function_for_salt () {return $salt = ' $2y$11$ '. substr (MD5 (Uniqid (rand (), true)), 0;} $PASSW Ord = 123456;  $options = [' Salt ' = Custom_function_for_salt (),//write your own code to generate a suitable salt ' cost ' = 12// The default cost is]; $hash = Password_hash ($password, Password_default, $options); Echo $hash;? >

After the password is encrypted, we need to verify the password to determine if the user entered the correct password

<?phpif (Password_verify ($password, $hash)) {//Pass}else {//Invalid}

Using password_verify directly validates the string we previously encrypted, which exists in the database.

If sometimes we need to change our encryption, like one day we suddenly want to change the salt value or increase the consumption value, we are going to use the Password_needs_rehash () function

<?phpif (Password_needs_rehash ($hash, Password_default, [' cost ' = +])} {//cost change to $hash = Password_has H ($password, Password_default, [' cost ' = +]);  Don ' t forget to store the new hash!}

Only in this way, PHP password Hashing API will know that we re-replaced the encryption method, so that the main purpose is for the subsequent password verification, Password_get_info (), this function can generally see the following three information

algo– Algorithm Example
algoname– algorithm Name
Optional parameters for options– encryption

The above is the whole content of this article, I hope that everyone's study has helped.