Detailed PHP processing password several ways _php instance

In PHP, user identity is often authenticated. This article is intended to discuss the handling of passwords, that is, encryption of the password processing.

MD5

I believe many PHP developers in the first contact with PHP, the first encryption function to handle the password may be MD5, I was like this:

$password = MD5 ($_post["password"]);

Is this code familiar? However, MD5 encryption method is now not very safe, because its encryption algorithm is really a bit simpler, and many cracked the password site has a lot of MD5 encrypted password string, so here I am very do not advocate still use the MD5 to encrypt the user's password alone.

SHA256 and SHA512

In fact, with the previous MD5 also has a SHA1 encryption method, but also the algorithm is relatively simple, so here is not introduced. And here is about to say SHA256 and SHA512 are from the SHA2 family of encryption functions, look at the name may be guessed out, the two encryption methods generate 256 and 512 bit length hash string.

They use the following methods:

$password = Hash ("sha256", $password);

PHP has a hash () function built into it, and you just need to pass the encryption to the hash () function. You can directly identify SHA256, SHA512, MD5, SHA1, and other encryption methods.

Salt value

In the process of encryption, we also have a very common thing: the value of salt. Yes, we actually add an extra string to the encrypted string in order to improve the security, and the salt value should be recorded to facilitate the later alignment:

function Generatehashwithsalt ($password) {
  $intermediateSalt = MD5 (Uniqid (rand (), true);
  $salt = substr ($intermediateSalt, 0, 6); 
  Return hash ("sha256", $password. $salt);
}

Bcrypt

Bcrypt is a good way to encrypt, but the hashing API described later is better.

function Generatehash ($password) {
  if (defined ("Crypt_blowfish") && crypt_blowfish) {
    $salt = ' $2y$11$ ' . SUBSTR (MD5 (Uniqid (rand (), True), 0);
    Return crypt ($password, $salt);
  }

Bcrypt is actually a combination of the Blowfish and Crypt (), where we can determine whether Blowfish is available by crypt_blowfish and then generate a salt value like the above, but it should be noted that the salt value of crypt () must be $2a$ or $2y$ the beginning.

Password hashing API

This is our play, the Password hashing API is a new feature after PHP 5.5, and it basically provides the following functions for us to use:

Password_hash ()     //Encrypt the password.
Password_verify ()    //verifies the encrypted password to verify that its hash string is consistent.
Password_needs_rehash ()//To encrypt the password again.
Password_get_info ()   //Returns the name of the cryptographic algorithm and some relevant information.

Using this API is not only simple, but also more secure, which is the official PHP recommended encryption method.

$hash = Password_hash ($passwod, Password_default);

Password_default is currently using the Bcrypt encryption algorithm, where it is necessary to note that if your code is using Password_default encryption, then in the database table, the PASSWORD field will have to set more than 60 characters in length, You can also use the Password_bcrypt algorithm, which is encrypted with a string length of 60.

Using Password_hash () you can simply not provide salt values (salts) and consumption values (cost), you can interpret the latter as a performance consumption value, the greater the cost, the more complex the encryption algorithm, the greater the memory consumption. Of course, if you need to specify the corresponding salt value and consumption value, you can write this:

$options = [
  ' Salt ' => custom_function_for_salt (),//Custom function to obtain the salt
  value ' cost ' =>//The ' default ' # is 10
   
    ];
$hash = Password_hash ($password, Password_default, $options);
   

However, the general custom cost is good, and the salt value uses the default.

After the encryption is good, you can verify that the password is correct by simply using it

<?php
if (password_verify ($password, $hash)) {//pass
}
else {
  //Invalid
}

The direct use of password_verify can be used to validate the strings we have previously encrypted (existing in the database).

If you want to change the way encryption is changed, you must use the following code to encrypt it:

if (Password_needs_rehash ($hash, Password_default, [' Cost ' =>])} {
  //cost changed to
  $hash = Password_hash ($pas Sword, Password_default, [' Cost ' =>]];

  And then save the hash value again
}

Only in this way, the PHP Password hashing API will know that we reproduce the replacement of the encryption method, so as to complete the password verification after.

Password_get_info (), this function can generally see the following three information:

1, algo– algorithm example

2, algoname– algorithm name

3, options– encryption time of the optional parameters

The above is the entire content of this article, I hope to help you learn, but also hope that we support the cloud habitat community.