In the use of PHP to develop Web applications, many applications will require users to register, and registration when we need to user information processing, the most common is the mailbox and password, this article is intended to discuss the processing of passwords: that is, encryption of the password processing.
MD5
I believe many PHP developers in the first contact with PHP, the first encryption function to handle the password may be MD5, I was like this:
$password = MD5 ($_post["password"]);
Is this code familiar? However, MD5 encryption method is currently in the river in PHP is not very popular, because its encryption algorithm is really a bit simple, and many cracked the password site are stored a lot of MD5 encrypted password string, So here I am very do not advocate still use MD5 to encrypt the user's password alone.
SHA256 and SHA512
In fact, with the previous MD5 the same time there is a SHA1 encryption, but also the algorithm is relatively simple, so here is a pen to take it. And here is about to say SHA256 and SHA512 are from the SHA2 family of encryption functions, look at the name may be guessed out, the two encryption methods generate 256 and 512 bit length hash string.
They use the following methods:
$password = Hash ("sha256", $password);
PHP has a hash () function built into it, and you just need to pass the encryption to the hash () function. You can directly identify SHA256, SHA512, MD5, SHA1, and other encryption methods.
Salt value
In the process of encryption, we also have a very common small partner: salt value. Yes, when we encrypt, we actually add an extra string to the encrypted string to achieve the goal of increasing security:
function Generatehashwithsalt ($password) {
$intermediateSalt = MD5 (Uniqid (rand (), true);
$salt = substr ($intermediateSalt, 0, 6);
Return hash ("sha256", $password. $salt);
}
Bcrypt
If I were to suggest an encryption method, Bcrypt might be the minimum I could recommend, because I would strongly recommend the hashing API you'll be talking about later, but Bcrypt is a good way to encrypt it.
function Generatehash ($password) {
if (Defined ("Crypt_blowfish") && crypt_blowfish) {
$salt = ' $2y$11$ '. SUBSTR (MD5 (Uniqid (rand (), True), 0, 22);
Return crypt ($password, $salt);
}
}
Bcrypt is actually a combination of the Blowfish and Crypt (), where we can determine whether Blowfish is available by crypt_blowfish, and then generate a salt value like the above, but it should be noted that the salt value of crypt () must be $2a$ or $2y$, the details can refer to the following links:
http://www.php.net/security/crypt_blowfish.php
More information can be seen here:
http://php.net/manual/en/function.crypt.php
Password hashing API
This is our play, the Password hashing API is a new feature after PHP 5.5, and it basically provides the following functions for us to use:
Password_hash () – Encrypt the password.
Password_verify () – Validates the password that has been encrypted and verifies that its hash string is consistent.
Password_needs_rehash () – Encrypt the password again.
Password_get_info () – Returns the name of the cryptographic algorithm and some related information.
Although the crypt () function is sufficient in use, Password_hash () not only makes our code shorter, but also gives us better security, so now the official PHP is recommending this way to encrypt the user's password, many popular frameworks such as Laravel is the way to use this encryption.
$hash = Password_hash ($passwod, Password_default);
Yes, it's that simple, one line of code, all done.
Password_default is currently using bcrypt, so I would say recommend this, but because the PASSWORD hashing API is doing better, I must seriously want you to recommend PASSWORD hashing API. It should be noted here that if your code is using Password_default encryption, then in the database table, the PASSWORD field will have to set more than 60 characters in length, you can also use Password_bcrypt, this time, After encryption, the string is always 60 characters long.
Using Password_hash () you can simply not provide salt values (salts) and consumption values (cost), you can interpret the latter as a performance consumption value, the greater the cost, the more complex the encryption algorithm, the greater the memory consumption. Of course, if you need to specify the corresponding salt value and consumption value, you can write this:
$options = [
' Salt ' => custom_function_for_salt (),//write your own code to generate a suitable salt
' Cost ' =>//The default cost is 10
];
$hash = Password_hash ($password, Password_default, $options);
After the password is encrypted, we need to verify the password to determine whether the user entered the correct password:
if (Password_verify ($password, $hash)) {
Pass
}
else {
Invalid
}
Quite simply, the direct use of password_verify can be used to validate our previously encrypted strings (existing in the database).
However, if sometimes we need to change our encryption methods, such as a day when we suddenly want to change the salt value or increase the consumption value, we will use the Password_needs_rehash () function at this time:
if (Password_needs_rehash ($hash, Password_default, [' Cost ' => 12])) {
Cost Change to 12
$hash = Password_hash ($password, Password_default, [' Cost ' => 12]);
Don ' t forget to store the new hash!
}
Only in this way, PHP's Password hashing API will know that we reproduce the replacement of the encryption method, the main purpose is to later password verification.
Simply put Password_get_info (), this function can generally see the following three information:
algo– Algorithm Example
algoname– algorithm Name
Optional parameters for options– encryption
So, start using PHP 5.5 now, and stop obsessing about the low version.