Several ways of password encryption in PHP _php instance

PHP Development of Web applications, often complete the user registration information, registration information, including mailbox and password verification issues, this article is mainly for encryption of the technician way.

MD5

I believe many PHP developers in the first contact with PHP, the first encryption function to handle the password may be MD5, I was like this:

Copy Code code as follows:

$password = MD5 ($_post["password"]);

Is this code familiar? However, the MD5 encryption method is currently in PHP's lakes and rivers seem to be less popular, because its encryption algorithm is really a bit simple, and many crack password sites are stored a lot of MD5 encrypted password string, so here I am very do not advocate still use the MD5 to encrypt the user's password alone.

SHA256 and SHA512

In fact, with the previous MD5 the same time there is a SHA1 encryption, but also the algorithm is relatively simple, so here is a pen to take it. And here is about to say SHA256 and SHA512 are from the SHA2 family of encryption functions, look at the name may be guessed out, the two encryption methods generate 256 and 512 bit length hash string.

They use the following methods:

Copy Code code as follows:

<?php
$password = Hash ("sha256", $password);

PHP has a hash () function built into it, and you just need to pass the encryption to the hash () function. You can directly identify sha256, SHA512, MD5, SHA1 , and other encryption methods.

Salt value

In the process of encryption, we also have a very common small partner: salt value. Yes, when we encrypt, we actually add an extra string to the encrypted string to achieve the goal of increasing security:

Copy Code code as follows:

<?php
function Generatehashwithsalt ($password) {
$intermediateSalt = MD5 (Uniqid (rand (), true);
$salt = substr ($intermediateSalt, 0, 6);
Return hash ("sha256", $password. $salt);
}

Bcrypt

If I were to suggest an encryption method, Bcrypt might be the minimum I could recommend, because I would strongly recommend the hashing API you'll be talking about later, but Bcrypt is a good way to encrypt it.

Copy Code code as follows:

<?php
function Generatehash ($password) {
if (Defined ("Crypt_blowfish") && crypt_blowfish) {
$salt = ' $2y$11$ '. SUBSTR (MD5 (Uniqid (rand (), True), 0, 22);
Return crypt ($password, $salt);
}
}

Bcrypt is actually a combination of Blowfish and crypt () , and we're here to judge by Crypt_blowfish Blowfish is available, and then generates a salt value like the above, but it should be noted that the salt value of crypt () must begin with a $2a$ or $2y$, and the details can refer to the link below:

http://www.php.net/security/crypt_blowfish.php

More information can be seen here:

http://php.net/manual/en/function.crypt.php

Password hashing API

This is our play, the Password hashing API is a new feature after PHP 5.5 , which provides the following functions for us to use:

Copy Code code as follows:

Password_hash () – Encrypt the password.
Password_verify () – Validates the password that has been encrypted and verifies that its hash string is consistent.
Password_needs_rehash () – Encrypt the password again.
Password_get_info () – Returns the name of the cryptographic algorithm and some related information.

Although the crypt () function is sufficient for use, Password_hash () can not only make our code shorter, but also provide us with better security, so Now the official PHP is recommended this way to encrypt the user's password, many popular frameworks such as Laravel is the use of this encryption method.

Copy Code code as follows:

<?php
$hash = Password_hash ($passwod, Password_default);

Yes, it's that simple, one line of code, all done.

Password_default is currently using bcrypt , so on top I would say recommend this, but because PASSWORD hashing API to do better, I must seriously think you recommend Password hashing API . It should be noted here that if your code uses password_default encryption, then in the database table, thePASSWORD field will have to set more than 60 characters in length, you can also use the PASSWORD _bcrypt , this time, encrypted after the string is always 60 characters long.

Using password_hash () you can simply not provide salt values (salts) and consumption values (cost ) , you can interpret the latter as a kind of performance consumption value, the greater the cost, The more complex the encryption algorithm, the greater the memory consumed. Of course, if you need to specify the corresponding salt value and consumption value, you can write this:

<?php
$options = [
 ' Salt ' => custom_function_for_salt (),//write your own code to generate a suitable salt
    ' cost ' => A//The default cost is
;
$hash = Password_hash ($password, Password_default, $options);

After the password is encrypted, we need to verify the password to determine whether the user entered the correct password:

<?php
if (password_verify ($password, $hash)) {//pass
}
else {
 //Invalid
}

Quite simply, the direct use of password_verify can be used to validate our previously encrypted strings (existing in the database).

However, if sometimes we need to change our encryption methods, such as a day when we suddenly want to change the salt value or increase the consumption value, we will use the password_needs_rehash () function at this time:

<?php
if (Password_needs_rehash ($hash, Password_default, [' Cost ' =>])} {//cost change to
 $hash = Password_hash ($password, Password_default, [' Cost ' =>]);
 Don ' t forget to store the new hash!
}

Only in this way, PHP's Password hashing API will know that we reproduce the replacement of the encryption method, the main purpose is to later password verification.

Simply put password_get_info () , this function can generally see the following three information:

algo– Algorithm Example
algoname– algorithm Name
Optional parameters for options– encryption

Through the introduction of the above content, personal advice PHP5.5 version of the use of more useful. I hope you will enjoy the above mentioned content.