More secure PHP password encryption mechanism Bcrypt details, more secure bcrypt

Source: Internet
Author: User

More secure PHP password encryption mechanism Bcrypt details, more secure bcrypt

Preface

To avoid attacks on the server, when the database is dragged to the database, the plaintext password of the user is not disclosed. Generally, the password is one-way, irreversible, encrypted, and hashed.

Common methods are:

Hash Mode Encrypted password
Md5 ('20140901 ') E10adc3949ba59abbe56e057f20f883e
Md5 ('20140901'. ($ salt = 'salt ')) 207acd61a3c1bd506d7e9a4535359f8a
Sha1 ('20140901 ') 40-bit ciphertext
Hash ('sha256 ', '123 ') 64-bit ciphertext
Hash ('sha512', '123 ') 128-bit ciphertext

The longer the password, the longer it takes to hit the database on the same machine, and the safer it is.

The common hash method is md5 + salt, which prevents users from setting simple passwords and cracking them easily.

Password_hash

However, what we recommend now ispassword_hash()Function, which can easily encrypt the password by adding salt, and can hardly crack the password.

$password = '123456'; var_dump(password_hash($password, PASSWORD_DEFAULT));var_dump(password_hash($password, PASSWORD_DEFAULT));

password_hashThe generated hash length is PASSWORD_BCRYPT -- 60 bits and PASSWORD_DEFAULT -- 60 bits ~ 255 bits. The value of PASSWORD_DEFAULT is related to the php version and will be equal to other values, but it does not affect usage.

Each timepassword_hashThe running results are different, so you need to usepassword_verifyFunction.

$password = '123456'; $hash = password_hash($password, PASSWORD_DEFAULT);var_dump(password_verify($password, $hash));

password_hashAll hash calculation parameters are stored in the hash result.password_get_infoObtain related information.

$password = '123456';$hash = password_hash($password, PASSWORD_DEFAULT);var_dump(password_get_info($hash));

Output

array(3) { ["algo"]=> int(1) ["algoName"]=> string(6) "bcrypt" ["options"]=> array(1) { ["cost"]=> int(10) }}

Note:Not including salt

It can be seen that my current PHP version usesPASSWORD_DEFAULTActually usedPASSWORD_BCRYPT.

password_hash($password, $algo, $options) The third parameter$options You can set a salt of at least 22 characters. However, it is strongly recommended that you use the default salt generated by PHP. Do not set the salt manually.

When you want to update the encryption algorithm and encryption options, you can use password_needs_rehash Determine whether to re-encrypt. The following code is an official example.

$options = array('cost' => 11);// Verify stored hash against plain-text passwordif (password_verify($password, $hash)){ // Check if a newer hashing algorithm is available // or the cost has changed if (password_needs_rehash($hash, PASSWORD_DEFAULT, $options)) {  // If so, create a new hash, and replace the old one  $newHash = password_hash($password, PASSWORD_DEFAULT, $options); } // Log user in}

password_needs_rehashCan be understood as a comparison$algo +$optionAndpassword_get_info($hash) Return Value.

Slow password_hash operation

password_hashIt means that the password retry times are small within the same time, and the risk of leakage is reduced.

$password = '123456';var_dump(microtime(true));var_dump(password_hash($password, PASSWORD_DEFAULT));var_dump(microtime(true)); echo "\n"; var_dump(microtime(true));var_dump(md5($password));for ($i = 0; $i < 999; $i++){ md5($password);}var_dump(microtime(true));

Output

float(1495594920.7034)string(60) "$2y$10$9ZLvgzqmiZPEkYiIUchT6eUJqebekOAjFQO8/jW/Q6DMrmWNn0PDm"float(1495594920.7818)float(1495594920.7818)string(32) "e10adc3949ba59abbe56e057f20f883e"float(1495594920.7823)

password_hashIt takes 784 milliseconds to run each time, and 5 milliseconds to run md5 for 1000 times. This is a rough comparison. It depends on the running machine, but it can be seen thatpassword_hashThe operation is indeed very slow.

Summary

The above is all the content of this article. I hope the content of this article will help you in your study or work. If you have any questions, please leave a message, thank you for your support.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.