Explain how PHP handles passwords in several ways

In our daily development, our passwords are often encrypted, for many PHP developers in the first contact with PHP, the first cryptographic function to handle the password may be MD5, I was like this:

$password = MD5 ($_post["password"]);

MD5 password encryption is the most common way of encryption, but now MD5 encryption method is not very safe, because its encryption algorithm is a bit simple, and a lot of password-breaking sites are stored a lot of MD5

Encrypted password string, so here I am not advocating the use of MD5 to encrypt the user's password alone.

So in addition to our MD5 encryption of the password, the small part of today to you crossing collect some other encryption methods in PHP

I. SHA256 and SHA512

In fact, with the previous MD5 the same time there is a SHA1 encryption method, but also the algorithm is relatively simple, so here is not introduced. And the SHA256 and SHA512 are coming from the SHA2 family of cryptographic functions, look at the name

You may have guessed that the two encryption methods generate 256 and 512 bit-length hash strings respectively.

They are used in the following ways:

$password = Hash ("sha256", $password);

PHP has built-in hash () function, you just need to pass the encryption method to the hash () function just fine. You can directly specify SHA256, SHA512, MD5, SHA1 and other encryption methods.

Two. Salt value

In the process of encryption, we also have a very common thing: salt value. Yes, we actually add an extra string to the encrypted string when we encrypt it, to achieve a certain security purpose, and to record the salt value

of the comparison:

function Generatehashwithsalt ($password) {  $intermediateSalt = MD5 (Uniqid (rand (), true));  $salt = substr ($intermediateSalt, 0, 6);  Return hash ("sha256", $password. $salt);}

Three. Bcrypt

Bcrypt is a good way to encrypt, but the Hashing API described later is better.

function Generatehash ($password) {  if (defined ("Crypt_blowfish") && crypt_blowfish) {    $salt = ' $2y$11$ ' . SUBSTR (MD5 (Uniqid (rand (), true)), 0, ();    Return crypt ($password, $salt);}  }

Bcrypt is actually a combination of Blowfish and crypt () functions, where we can determine whether Blowfish is available by crypt_blowfish, and then generate a salt value as above, but it is important to note that the salt value of crypt () must be $2a$ or $2y$ start.

Four. Password Hashing API

Here is our play, Password Hashing API is a new feature after PHP 5.5, it mainly provides the following functions for us to use:

Password_hash ()     //Encrypt the password. Password_verify ()    //Verify that the password is encrypted, verifying that its hash string is consistent. Password_needs_rehash ()// Re-encrypt the password. Password_get_info ()   //Returns the name of the cryptographic algorithm and some related information.

The use of this API is not only simple, but also more secure, which is the official PHP recommended encryption method.

$hash = Password_hash ($passwod, Password_default);

Password_default is currently using the Bcrypt encryption algorithm, it is important to note that if your code is using Password_default encryption method, then in the database table, the PASSWORD field will have to set the super

After 60 characters, you can also use the Password_bcrypt algorithm, which encrypts the length of the string as a total of 60.

Here Password_hash () you can completely not provide salt and consumption value (cost), you can understand the latter as a performance of the consumption value, the greater the cost, the more complex the encryption algorithm, the more memory consumed. Of course, if you need

Specify the corresponding salt value and consumption value, which you can write:

$options = [  ' salt ' = + custom_function_for_salt (),//Custom function to get salt value ' cost ' = +  //The default cost is]; $has h = Password_hash ($password, Password_default, $options);

But the general custom cost is good, the salt value uses the default.

Once encrypted, you can verify that the password is correct by simply using it

<?phpif (Password_verify ($password, $hash)) {  //Pass}else {  //Invalid}

Using password_verify directly validates the string that we have previously encrypted (in the database that exists).

If you want to change the way encryption is changed, you must use the following code to re-encrypt it:

if (Password_needs_rehash ($hash, Password_default, [' cost ' = =])} {  //cost changed to  $hash = Password_hash ($pas Sword, Password_default, [' cost ' = +]];   Then re-save the hash value}

Only then will PHP's Password Hashing API know that we re-replaced the encryption method in order to complete the password verification.

Password_get_info (), this function can generally see the following three information:

1. algo– Algorithm Example

2. algoname– algorithm Name

3, options– encryption time Optional parameters

The above is the whole content of this article, I hope that everyone's learning has helped, but also hope that we support topic.alibabacloud.com.

More good articles, in topic.alibabacloud.com ...

