In PHP, the identity of the user is often authenticated. This article is intended to discuss the processing of the password, that is, the encryption of the password processing.
MD5
I believe that many PHP developers in the first contact with PHP, the first cryptographic function to handle the password may be MD5, I was like this:
$password = MD5 ($_post["password"]);
Is the above code familiar? However, the MD5 encryption method is now not very safe, because its encryption algorithm is a bit simple, and many password-breaking sites are stored a lot of MD5 encrypted password string, so here I do not advocate the use of MD5 to encrypt the user's password alone.
SHA256 and SHA512
In fact, with the previous MD5 the same time there is a SHA1 encryption method, but also the algorithm is relatively simple, so here is not introduced. And here is going to talk about the SHA256 and SHA512 are from the SHA2 family of cryptographic functions, look at the name may you guessed out, the two encryption methods to generate 256 and 512 bits of the length of the hash string.
They are used in the following ways:
$password = Hash ("sha256", $password);
PHP has built-in hash () function, you just need to pass the encryption method to the hash () function just fine. You can directly specify SHA256, SHA512, MD5, SHA1 and other encryption methods.
Salt value
In the process of encryption, we also have a very common thing: salt value. Yes, when we encrypt, we actually add an extra string to the encrypted string to improve the security, and the salt value is recorded to facilitate later comparison:
function Generatehashwithsalt ($password) { $intermediateSalt = MD5 (Uniqid (rand (), true)); $salt = substr ($intermediateSalt, 0, 6); Return hash ("sha256", $password. $salt);}
Bcrypt
Bcrypt is a good way to encrypt, but the Hashing API described later is better.
function Generatehash ($password) { if (defined ("Crypt_blowfish") && crypt_blowfish) { $salt = ' $2y$11$ ' . SUBSTR (MD5 (Uniqid (rand (), true)), 0, (); Return crypt ($password, $salt);} }
Bcrypt is actually a combination of Blowfish and crypt () functions, where we can determine whether Blowfish is available by crypt_blowfish, and then generate a salt value as above, but it is important to note that the salt value of crypt () must be $2a$ or $2y$ start.
Password Hashing API
Here is our play, Password Hashing API is a new feature after PHP 5.5, it mainly provides the following functions for us to use:
Password_hash () //Encrypt the password. Password_verify () //Verify that the password is encrypted, verifying that its hash string is consistent. Password_needs_rehash ()// Re-encrypt the password. Password_get_info () //Returns the name of the cryptographic algorithm and some related information.
The use of this API is not only simple, but also more secure, which is the official PHP recommended encryption method.
$hash = Password_hash ($passwod, Password_default);
Password_default is currently using the Bcrypt encryption algorithm, it is important to note that if your code is using Password_default encryption method, then in the database table, the PASSWORD field will have to set more than 60 characters in length, You can also use the Password_bcrypt algorithm, where the string length of the algorithm is always 60.
Here Password_hash () you can completely not provide salt and consumption value (cost), you can understand the latter as a performance of the consumption value, the greater the cost, the more complex the encryption algorithm, the more memory consumed. Of course, if you need to specify the corresponding salt value and consumption value, you can write:
$options = [ ' salt ' = + custom_function_for_salt (),//Custom function to get salt value ' cost ' = + //The default cost is]; $has h = Password_hash ($password, Password_default, $options);
But the general custom cost is good, the salt value uses the default.
Once encrypted, you can verify that the password is correct by simply using it
<?phpif (Password_verify ($password, $hash)) { //Pass}else { //Invalid}
Using password_verify directly validates the string that we have previously encrypted (in the database that exists).
If you want to change the way encryption is changed, you must use the following code to re-encrypt it:
if (Password_needs_rehash ($hash, Password_default, [' cost ' = =])} { //cost changed to $hash = Password_hash ($pas Sword, Password_default, [' cost ' = +]]; Then re-save the hash value}
Only then will PHP's Password Hashing API know that we re-replaced the encryption method in order to complete the password verification.
Password_get_info (), this function can generally see the following three information:
1. algo– Algorithm Example
2. algoname– algorithm Name
3, options– encryption time Optional parameters
The above is the whole content of this article, I hope that everyone's learning has helped, but also hope that we support the script home.