PHP password encryption in several ways _php instances

PHP Development Web application, often complete user registration information, registration information including the mailbox and password verification issues, this article is mainly for the password encryption technician way.

MD5

I believe that many PHP developers in the first contact with PHP, the first cryptographic function to handle the password may be MD5, I was like this:

Copy the Code code as follows:
$password = MD5 ($_post["password"]);

Is the above code familiar? However, MD5 encryption method At present in the Lake of PHP seems not very popular, because its encryption algorithm is a bit simple, and a lot of password-breaking sites are stored a lot of MD5 encrypted password string, so here I do not advocate also in the single use of MD5 to encrypt the user's password.

SHA256 and SHA512

In fact, with the previous MD5 the same time there is a SHA1 encryption method, but also the algorithm is relatively simple, so here is a stroke of it. And here is going to talk about the SHA256 and SHA512 are from the SHA2 family of cryptographic functions, look at the name may you guessed out, the two encryption methods to generate 256 and 512 bits of the length of the hash string.

They are used in the following ways:

Copy the Code code as follows:
<?php
$password = Hash ("sha256", $password);

PHP has built-in hash () function, you just need to pass the encryption method to the hash () function just fine. You can directly specify sha256, SHA512, MD5, SHA1 and other encryption methods.

Salt value

In the process of encryption, we also have a very common small partner: Salt values. Yes, when we encrypt, we actually add an extra string to the encrypted string for the purpose of increasing security:

Copy the Code code as follows:
<?php
function Generatehashwithsalt ($password) {
$intermediateSalt = MD5 (Uniqid (rand (), true));
$salt = substr ($intermediateSalt, 0, 6);
Return hash ("sha256", $password. $salt);
}

Bcrypt

If I were to suggest an encryption, Bcrypt might be the minimum I recommend to you, because I would strongly recommend the Hashing API You'll be talking about later, but Bcrypt is a good way to encrypt.

Copy the Code code as follows:
<?php
function Generatehash ($password) {
if (Defined ("Crypt_blowfish") && crypt_blowfish) {
$salt = ' $2y$11$ '. SUBSTR (MD5 (Uniqid (rand (), true)), 0, 22);
Return crypt ($password, $salt);
}
}

Bcrypt is actually the combination of Blowfish and crypt () functions, and we're here to judge by Crypt_blowfish Blowfish is available and generates a salt value as above, but it is important to note that the salt value of crypt () must start with $2a$ or $2y$, and the details can refer to the following link:

http://www.php.net/security/crypt_blowfish.php

More information can be seen here:

http://php.net/manual/en/function.crypt.php

Password Hashing API

Here is our play, Password Hashing API is a new feature after PHP 5.5 , it mainly provides the following functions for us to use:

Copy the Code code as follows:
Password_hash () – Encrypt the password.
Password_verify () – verifies that a password has been encrypted to verify that its hash string is consistent.
Password_needs_rehash () – Re-encrypt the password.
Password_get_info () – Returns the name of the cryptographic algorithm and some related information.

While it's enough to say that the crypt () function is used, Password_hash () not only makes our code shorter, but also gives us a better guarantee of security, so Now the official PHP is recommended this way to encrypt the user's password, a lot of popular frameworks such as Laravel is the use of this encryption method.

Copy the Code code as follows:
<?php
$hash = Password_hash ($passwod, Password_default);

Yes, it's that simple, a line of code, all done.

Password_default is currently using Bcrypt , so I would say recommend this, but because PASSWORD Hashing API do better, I must solemnly think you recommend Password Hashing API . It is important to note that if your code is using password_default encryption, then in the database table, thePASSWORD field is set to more than 60 characters in length, you can also use the PASSWORD _bcrypt , this time, the string is always 60 characters long after encryption.

Here Password_hash () you can completely not provide salt and consumption value (cost) , you can understand the latter as a performance of the consumption value, cost The larger the encryption algorithm, the greater the memory consumption. Of course, if you need to specify the corresponding salt value and consumption value, you can write:

<?php$options = [' salt ' = + custom_function_for_salt (),//write your own code to generate a suitable salt ' cost ' =&G T (The default cost is); $hash = Password_hash ($password, Password_default, $options);

After the password is encrypted, we need to verify the password to determine if the user entered the correct password:

<?phpif (Password_verify ($password, $hash)) {//Pass}else {//Invalid}

Quite simply, using password_verify directly validates the string that we have previously encrypted (in the database that exists).

However, if there are times when we need to change our encryption, such as a day when we suddenly want to change the salt value or increase the consumption value, we are going to use the password_needs_rehash () function at this time:

<?phpif (Password_needs_rehash ($hash, Password_default, [' cost ' = +])} {//cost change to $hash = Password_has H ($password, Password_default, [' cost ' = 12]); Don ' t forget to store the new hash!}

Only in this way, the PHP Password Hashing API will know that we re-replaced the encryption method, so that the main purpose is to verify the password later.

Simply say password_get_info () , this function generally can see the following three information:

algo– Algorithm Example
algoname– algorithm Name
Optional parameters for options– encryption

Through the above contents of the introduction, personal advice PHP5.5 version used more useful. I hope you like the above content described.

