A detailed explanation of how PHP handles passwords (favorites)

Source: Internet
Author: User
Tags crypt md5 encryption sha1 sha1 encryption

In PHP, the identity of the user is often authenticated. This article is intended to discuss the processing of the password, that is, the encryption of the password processing.

MD5

I believe that many PHP developers in the first contact with PHP, the first cryptographic function to handle the password may be MD5, I was like this:

?
1 $password= md5($_POST["password"]);

Is the above code familiar? However, the MD5 encryption method is now not very safe, because its encryption algorithm is a bit simple, and many password-breaking sites are stored a lot of MD5 encrypted password string, so here I do not advocate the use of MD5 to encrypt the user's password alone.

SHA256 and SHA512

In fact, with the previous MD5 the same time there is a SHA1 encryption method, but also the algorithm is relatively simple, so here is not introduced. And here is going to talk about the SHA256 and SHA512 are from the SHA2 family of cryptographic functions, look at the name may you guessed out, the two encryption methods to generate 256 and 512 bits of the length of the hash string.

They are used in the following ways:

?
1 $password= hash("sha256", $password);

PHP has built-in hash () function, you just need to pass the encryption method to the hash () function just fine. You can directly specify SHA256, SHA512, MD5, SHA1 and other encryption methods.

Salt value

In the process of encryption, we also have a very common thing: salt value. Yes, when we encrypt, we actually add an extra string to the encrypted string to improve the security, and the salt value is recorded to facilitate later comparison:

?
12345 function generateHashWithSalt($password) {  $intermediateSalt = md5(uniqid(rand(), true));  $salt = substr($intermediateSalt, 0, 6);   return hash("sha256", $password . $salt);}

Bcrypt

Bcrypt is a good way to encrypt, but the Hashing API described later is better.

?
123456 function generateHash($password) {  if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {    $salt = ‘$2y$11$‘ . substr(md5(uniqid(rand(), true)), 0, 22);    return crypt($password, $salt);  }}

Bcrypt is actually a combination of Blowfish and crypt () functions, where we can determine whether Blowfish is available by crypt_blowfish, and then generate a salt value as above, but it is important to note that the salt value of crypt () must be $2a$ or $2y$ start.

Password Hashing API

Here is our play, Password Hashing API is a new feature after PHP 5.5, it mainly provides the following functions for us to use:

?
1234 password_hash()     //对密码加密.password_verify()    //验证已经加密的密码,检验其hash字串是否一致.password_needs_rehash() //给密码重新加密.password_get_info()   //返回加密算法的名称和一些相关信息.

The use of this API is not only simple, but also more secure, which is the official PHP recommended encryption method.

?
1 $hash= password_hash($passwod, PASSWORD_DEFAULT);

Password_default is currently using the Bcrypt encryption algorithm, it is important to note that if your code is using Password_default encryption method, then in the database table, the PASSWORD field will have to set more than 60 characters in length, You can also use the Password_bcrypt algorithm, where the string length of the algorithm is always 60.

Here Password_hash () you can completely not provide salt and consumption value (cost), you can understand the latter as a performance of the consumption value, the greater the cost, the more complex the encryption algorithm, the more memory consumed. Of course, if you need to specify the corresponding salt value and consumption value, you can write:

?
12345 $options= [  ‘salt‘ => custom_function_for_salt(), //自定义函数来获得盐值  ‘cost‘ => 12 // the default cost is 10];$hash= password_hash($password, PASSWORD_DEFAULT, $options);

But the general custom cost is good, the salt value uses the default.

Once encrypted, you can verify that the password is correct by simply using it

?
1234567 <?phpif(password_verify($password, $hash)) {  // Pass}else{  // Invalid}

Using password_verify directly validates the string that we have previously encrypted (in the database that exists).

If you want to change the way encryption is changed, you must use the following code to re-encrypt it:

?
123456 < Code class= "PHP keyword" >if (Password_needs_rehash ( $hash ' cost ' => 12])) { &NBSP;&NBSP; //cost changed to &NBSP;&NBSP; $hash = Password_hash ( $password ' cost ' => ");  &NBSP;&NBSP; //then resave hash value }

Only then will PHP's Password Hashing API know that we re-replaced the encryption method in order to complete the password verification.

Password_get_info (), this function can generally see the following three information:

1. algo– Algorithm Example

2. algoname– algorithm Name

3, options– encryption time Optional parameters

The above is the whole content of this article, I hope that everyone's learning has helped, but also hope that we support the script home.

Original link: http://blog.csdn.net/STFPHP/article/details/52964250

In PHP, the identity of the user is often authenticated. This article is intended to discuss the processing of the password, that is, the encryption of the password processing.

MD5

I believe that many PHP developers in the first contact with PHP, the first cryptographic function to handle the password may be MD5, I was like this:

?
1 $password= md5($_POST["password"]);

Is the above code familiar? However, the MD5 encryption method is now not very safe, because its encryption algorithm is a bit simple, and many password-breaking sites are stored a lot of MD5 encrypted password string, so here I do not advocate the use of MD5 to encrypt the user's password alone.

SHA256 and SHA512

In fact, with the previous MD5 the same time there is a SHA1 encryption method, but also the algorithm is relatively simple, so here is not introduced. And here is going to talk about the SHA256 and SHA512 are from the SHA2 family of cryptographic functions, look at the name may you guessed out, the two encryption methods to generate 256 and 512 bits of the length of the hash string.

They are used in the following ways:

?
1 $password= hash("sha256", $password);

PHP has built-in hash () function, you just need to pass the encryption method to the hash () function just fine. You can directly specify SHA256, SHA512, MD5, SHA1 and other encryption methods.

Salt value

In the process of encryption, we also have a very common thing: salt value. Yes, when we encrypt, we actually add an extra string to the encrypted string to improve the security, and the salt value is recorded to facilitate later comparison:

?
12345 function generateHashWithSalt($password) {  $intermediateSalt = md5(uniqid(rand(), true));  $salt = substr($intermediateSalt, 0, 6);   return hash("sha256", $password . $salt);}

Bcrypt

Bcrypt is a good way to encrypt, but the Hashing API described later is better.

?
123456 function generateHash($password) {  if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {    $salt = ‘$2y$11$‘ . substr(md5(uniqid(rand(), true)), 0, 22);    return crypt($password, $salt);  }}

Bcrypt is actually a combination of Blowfish and crypt () functions, where we can determine whether Blowfish is available by crypt_blowfish, and then generate a salt value as above, but it is important to note that the salt value of crypt () must be $2a$ or $2y$ start.

Password Hashing API

Here is our play, Password Hashing API is a new feature after PHP 5.5, it mainly provides the following functions for us to use:

?
1234 password_hash()     //对密码加密.password_verify()    //验证已经加密的密码,检验其hash字串是否一致.password_needs_rehash() //给密码重新加密.password_get_info()   //返回加密算法的名称和一些相关信息.

The use of this API is not only simple, but also more secure, which is the official PHP recommended encryption method.

?
1 $hash= password_hash($passwod, PASSWORD_DEFAULT);

Password_default is currently using the Bcrypt encryption algorithm, it is important to note that if your code is using Password_default encryption method, then in the database table, the PASSWORD field will have to set more than 60 characters in length, You can also use the Password_bcrypt algorithm, where the string length of the algorithm is always 60.

Here Password_hash () you can completely not provide salt and consumption value (cost), you can understand the latter as a performance of the consumption value, the greater the cost, the more complex the encryption algorithm, the more memory consumed. Of course, if you need to specify the corresponding salt value and consumption value, you can write:

?
12345 $options= [  ‘salt‘ => custom_function_for_salt(), //自定义函数来获得盐值  ‘cost‘ => 12 // the default cost is 10];$hash= password_hash($password, PASSWORD_DEFAULT, $options);

But the general custom cost is good, the salt value uses the default.

Once encrypted, you can verify that the password is correct by simply using it

?
1234567 <?phpif(password_verify($password, $hash)) {  // Pass}else{  // Invalid}

Using password_verify directly validates the string that we have previously encrypted (in the database that exists).

If you want to change the way encryption is changed, you must use the following code to re-encrypt it:

?
123456 < Code class= "PHP keyword" >if (Password_needs_rehash ( $hash ' cost ' => 12])) { &NBSP;&NBSP; //cost changed to &NBSP;&NBSP; $hash = Password_hash ( $password ' cost ' => ");  &NBSP;&NBSP; //then resave hash value }

Only then will PHP's Password Hashing API know that we re-replaced the encryption method in order to complete the password verification.

Password_get_info (), this function can generally see the following three information:

1. algo– Algorithm Example

2. algoname– algorithm Name

3, options– encryption time Optional parameters

The above is the whole content of this article, I hope that everyone's learning has helped, but also hope that we support the script home.

Original link: http://blog.csdn.net/STFPHP/article/details/52964250

A detailed explanation of how PHP handles passwords (favorites)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.