Solution summary of password encryption in PHP _php instance

An endless stream of similar events can have a huge impact on users, because people tend to use the same passwords on different websites, and a "Bauku" is all the same.

A general solution.

1, the plaintext password to do one-way hash

$password = MD5 ($_post["password"]);

2, the password +salt after doing one-way hash,php built-in hash () function, you only need to encrypt the way to the hash () function is good. You can directly identify SHA256, SHA512, MD5, SHA1, and other encryption methods.

<?php
 
function Generatehashwithsalt ($password) {
 $intermediateSalt = MD5 (Uniqid (rand (), true);
 $salt = substr ($intermediateSalt, 0, 6);
 Return hash ("sha256", $password. $salt);
>

The one-way hashing algorithm has an attribute that does not restore the original data through the hash Summary (digest), and the commonly used one-way hashing algorithms include SHA-256,SHA-1,MD5. For example, a summary of the SHA-256 hash of the password "Passwordhunter" (Digest) is as follows:
"Bbed833d2c7805c4bf039b140bec7e7452125a04efa9e0b296395a9b95c2d44c"

Note: An attacker can use a common combination of all passwords in a one-way hash, get a summary combination, and then match the digest in the database to get the corresponding password. This summary combination is also called Rainbow table. Worse, an attacker could match all the password databases by creating the rainbow table above. is still equivalent to a "Bauku", all of which suffer

A better solution

Bcrypt

<?php
function Generatehash ($password) {
 if (defined ("Crypt_blowfish") && crypt_blowfish) {
  $ Salt = ' $2y$11$ '. SUBSTR (MD5 (Uniqid (rand (), True), 0);
  Return crypt ($password, $salt);
 }
? >

Bcrypt is actually a combination of the Blowfish and Crypt (), where we're going to crypt_blowfish to determine if Blowfish is available, and then generate a salt value like the above, but notice here that crypt () The salt value must begin with 2A2A or 2Y2Y, and the details can refer to the link below:

http://www.php.net/security/crypt_blowfish.php

http://php.net/manual/en/function.crypt.php

Password hashing API

The Password hashing API is a new feature after PHP 5.5, which provides the following functions for us to use

Password_hash () – Encrypt the password.
Password_verify () – Validates the password that has been encrypted and verifies that its hash string is consistent.
Password_needs_rehash () – Encrypt the password again.
Password_get_info () – Returns the name of the cryptographic algorithm and some related information.

Although the crypt () function is sufficient in use, Password_hash () not only makes our code shorter, but also gives us better security, so now the official PHP is recommending this way to encrypt the user's password. Many popular frameworks, such as Laravel, are used in this way of encryption.

<?php
$hash = Password_hash ($passwod, password_default);? >

Password_default is currently using the Bcrypt, the best or the PASSWORD hashing API. It should be noted here that if your code is using Password_default encryption, then in the database table, the password field will have to set more than 60 characters in length, you can also use Password_bcrypt, this time, After encryption, the string is always 60 characters long.

Using Password_hash () you can simply not provide salt values (salts) and consumption values (cost), you can interpret the latter as a performance consumption value, the greater the cost, the more complex the encryption algorithm, the greater the memory consumption. Of course, if you need to specify the corresponding salt value and consumption value, you can write

<?php
function Custom_function_for_salt () {return
 $salt = ' $2y$11$ '. substr MD5 (Uniqid (rand (), True), 0, );
 
$password =123456;
 
$options = [
 ' Salt ' => custom_function_for_salt (),//write your own code to generate a suitable salt
 ' cost ' =&G T A//The default cost is
;
$hash = Password_hash ($password, Password_default, $options);
echo $hash;
? >

After the password is encrypted, we need to verify the password to determine whether the user entered the correct password

<?php
if (password_verify ($password, $hash)) {//pass
}
else {
 //Invalid
}

Using password_verify directly, we can verify the strings we have previously encrypted (existing in the database).

If sometimes we need to change our encryption methods, such as one day we suddenly want to change the salt value or increase the consumption value, we will use the Password_needs_rehash () function.

<?php
if (Password_needs_rehash ($hash, Password_default, [' Cost ' =>])} {//cost change to
 $hash = Password_hash ($password, Password_default, [' Cost ' =>]);
 
 Don ' t forget to store the new hash!
}

Only in this way, PHP's password hashing API will know that we reproduce the replacement of the encryption method, the main purpose is for the subsequent password verification, Password_get_info (), this function can generally see the following three information

algo– Algorithm Example
algoname– algorithm Name
Optional parameters for options– encryption

The above is the entire content of this article, I hope to help you learn, but also hope that we support the cloud habitat community.