More secure PHP password encryption mechanism Bcrypt details, more secure bcrypt
Preface
To avoid attacks on the server, when the database is dragged to the database, the plaintext password of the user is not disclosed. Generally, the password is one-way, irreversible, encrypted, and hashed.
Common methods are:
Hash Mode |
Encrypted password |
Md5 ('20140901 ') |
E10adc3949ba59abbe56e057f20f883e |
Md5 ('20140901'. ($ salt = 'salt ')) |
207acd61a3c1bd506d7e9a4535359f8a |
Sha1 ('20140901 ') |
40-bit ciphertext |
Hash ('sha256 ', '123 ') |
64-bit ciphertext |
Hash ('sha512', '123 ') |
128-bit ciphertext |
The longer the password, the longer it takes to hit the database on the same machine, and the safer it is.
The common hash method is md5 + salt, which prevents users from setting simple passwords and cracking them easily.
Password_hash
However, what we recommend now ispassword_hash()
Function, which can easily encrypt the password by adding salt, and can hardly crack the password.
$password = '123456'; var_dump(password_hash($password, PASSWORD_DEFAULT));var_dump(password_hash($password, PASSWORD_DEFAULT));
password_hash
The generated hash length is PASSWORD_BCRYPT -- 60 bits and PASSWORD_DEFAULT -- 60 bits ~ 255 bits. The value of PASSWORD_DEFAULT is related to the php version and will be equal to other values, but it does not affect usage.
Each timepassword_hash
The running results are different, so you need to usepassword_verify
Function.
$password = '123456'; $hash = password_hash($password, PASSWORD_DEFAULT);var_dump(password_verify($password, $hash));
password_hash
All hash calculation parameters are stored in the hash result.password_get_info
Obtain related information.
$password = '123456';$hash = password_hash($password, PASSWORD_DEFAULT);var_dump(password_get_info($hash));
Output
array(3) { ["algo"]=> int(1) ["algoName"]=> string(6) "bcrypt" ["options"]=> array(1) { ["cost"]=> int(10) }}
Note:Not including salt
It can be seen that my current PHP version usesPASSWORD_DEFAULT
Actually usedPASSWORD_BCRYPT
.
password_hash($password, $algo, $options)
The third parameter$options
You can set a salt of at least 22 characters. However, it is strongly recommended that you use the default salt generated by PHP. Do not set the salt manually.
When you want to update the encryption algorithm and encryption options, you can use password_needs_rehash
Determine whether to re-encrypt. The following code is an official example.
$options = array('cost' => 11);// Verify stored hash against plain-text passwordif (password_verify($password, $hash)){ // Check if a newer hashing algorithm is available // or the cost has changed if (password_needs_rehash($hash, PASSWORD_DEFAULT, $options)) { // If so, create a new hash, and replace the old one $newHash = password_hash($password, PASSWORD_DEFAULT, $options); } // Log user in}
password_needs_rehash
Can be understood as a comparison$algo
+$option
Andpassword_get_info($hash)
Return Value.
Slow password_hash operation
password_hash
It means that the password retry times are small within the same time, and the risk of leakage is reduced.
$password = '123456';var_dump(microtime(true));var_dump(password_hash($password, PASSWORD_DEFAULT));var_dump(microtime(true)); echo "\n"; var_dump(microtime(true));var_dump(md5($password));for ($i = 0; $i < 999; $i++){ md5($password);}var_dump(microtime(true));
Output
float(1495594920.7034)string(60) "$2y$10$9ZLvgzqmiZPEkYiIUchT6eUJqebekOAjFQO8/jW/Q6DMrmWNn0PDm"float(1495594920.7818)float(1495594920.7818)string(32) "e10adc3949ba59abbe56e057f20f883e"float(1495594920.7823)
password_hash
It takes 784 milliseconds to run each time, and 5 milliseconds to run md5 for 1000 times. This is a rough comparison. It depends on the running machine, but it can be seen thatpassword_hash
The operation is indeed very slow.
Summary
The above is all the content of this article. I hope the content of this article will help you in your study or work. If you have any questions, please leave a message, thank you for your support.