Several methods of password encryption in PHP

This article mainly introduces several methods for implementing password encryption in PHP. if you need it, refer to this article. PHP develops WEB applications and often completes user registration information. the registration information includes email address and password verification issues. This article mainly focuses on password encryption technicians.

MD5

I believe that when many PHP developers first came into contact with PHP, the preferred encryption function for password processing may be MD5. at that time, I was like this:

The code is as follows:

$ Password = md5 ($ _ POST ["password"]);

Is the above code quite familiar? However, the MD5 encryption method is currently not very popular in PHP, because its encryption algorithm is actually a bit simple, in addition, many password cracking sites store a lot of MD5-encrypted password strings, so I do not advocate using MD5 alone to encrypt users' passwords.

SHA256 and SHA512

In fact, there is also a SHA1 encryption method in the same period as the MD5 method, but it is also a simple algorithm, so let's take it over here. The SHA256 and SHA512 mentioned here are both from the SHA2 family's encryption functions. you may have guessed the name, the two encryption methods generate 256 and 512-bit hash strings respectively.

Their usage is as follows:

The code is as follows:

<? Php
$ Password = hash ("sha256", $ password );

PHP built-inHash ()Function, you only need to pass the encryption methodHash ()Function. You can directly specifySha256, sha512, md5, sha1.

Salt value

In the encryption process, we also have a very common friend: salt value. Yes, we will add an extra string to the encrypted string during encryption to improve security:

The code is as follows:

<? Php
Function generateHashWithSalt ($ password ){
$ IntermediateSalt = md5 (uniqid (rand (), true ));
$ Salt = substr ($ intermediateSalt, 0, 6 );
Return hash ("sha256", $ password. $ salt );
}

Bcrypt

If I suggest an encryption method, Bcrypt may be the minimum requirement I recommend for you, because I will strongly recommend you to refer to it later.Hashing API,BcryptIt is also a good encryption method.

The code is as follows:

<? Php
Function generateHash ($ password ){
If (defined ("CRYPT_BLOWFISH") & CRYPT_BLOWFISH ){
$ Salt = '$ 2y $11 $'. substr (md5 (uniqid (rand (), true), 0, 22 );
Return crypt ($ password, $ salt );
}
}

BcryptActuallyBlowfishAndCrypt ()Function integration. here we useCRYPT_BLOWFISHJudgmentBlowfishWhether it is available, and then generate a salt value as above. However, note that the salt value of crypt () must start with $ 2a $ or $ 2y $, for more information, see the following link:

Http://www.php.net/security/crypt_blowfish.php

For more information, see:

Http://php.net/manual/en/function.crypt.php

Password Hashing API

This is our first scene,Password Hashing APIYesPython 5.5The new features are available later. it mainly provides the following functions for our use:

The code is as follows:

Password_hash ()-encrypt the password.
Password_verify ()-verify the encrypted password and verify that its hash string is consistent.
Password_needs_rehash ()-re-encrypt the password.
Password_get_info ()-return the encryption algorithm name and related information.

AlthoughCrypt ()Functions are sufficient,Password_hash ()This not only makes our code shorter, but also provides better security protection. Therefore, PHP officially recommends this method to encrypt users' passwords, many popular frameworks such as Laravel use this encryption method.

The code is as follows:

<? Php
$ Hash = password_hash ($ passwod, PASSWORD_DEFAULT );

Yes, that's just a simple line of code, All done.

PASSWORD_DEFAULTCurrentlyBcryptSo I will recommend this, but becausePassword Hashing APII want to recommend it to you.Password Hashing API. Note that if your code isPASSWORD_DEFAULTEncryption method. in the database table,PasswordThe field must be set to more than 60 characters long. you can also usePASSWORD_BCRYPTAt this time, the encrypted string is always 60 characters in length.

Used herePassword_hash ()You can leave the salt value empty.(Salt)And consumption value(Cost), You can understand the latter as a performance consumption value,CostThe larger the encryption algorithm, the larger the memory consumption. Of course, if you need to specify the corresponding salt value and consumption value, you can write as follows:

<?php$options = [ 'salt' => custom_function_for_salt(), //write your own code to generate a suitable salt 'cost' => 12 // the default cost is 10];$hash = password_hash($password, PASSWORD_DEFAULT, $options);

After the password is encrypted, we need to verify the password to determine whether the password entered by the user is correct:

<?phpif (password_verify($password, $hash)) { // Pass}else { // Invalid}

Easy to use.Password_verifyWe can verify the previously encrypted string (in the database.

However, if we sometimes need to change our encryption method, for example, if one day we suddenly want to change the salt value or increase the consumption value, we will usePassword_needs_rehash ()Function:

<?phpif (password_needs_rehash($hash, PASSWORD_DEFAULT, ['cost' => 12])) { // cost change to 12 $hash = password_hash($password, PASSWORD_DEFAULT, ['cost' => 12]); // don't forget to store the new hash!}

Only in this way, PHP'sPassword Hashing APIWe will know that we have replaced the encryption method again. this is mainly for subsequent password verification.

To put it simplyPassword_get_info (), This function can generally see the following three Information:

Algo-algorithm instance
AlgoName-algorithm name
Options-optional parameters during encryption

Based on the above content, I personally suggest using PHP5.5 for better use. I hope you will like the content above.