More secure PHP password encryption mechanism Bcrypt details, more secure bcrypt

More secure PHP password encryption mechanism Bcrypt details, more secure bcrypt

Preface

To avoid attacks on the server, when the database is dragged to the database, the plaintext password of the user is not disclosed. Generally, the password is one-way, irreversible, encrypted, and hashed.

Common methods are:

Hash Mode	Encrypted password
Md5 ('20140901 ')	E10adc3949ba59abbe56e057f20f883e
Md5 ('20140901'. ($ salt = 'salt '))	207acd61a3c1bd506d7e9a4535359f8a
Sha1 ('20140901 ')	40-bit ciphertext
Hash ('sha256 ', '123 ')	64-bit ciphertext
Hash ('sha512', '123 ')	128-bit ciphertext

The longer the password, the longer it takes to hit the database on the same machine, and the safer it is.

The common hash method is md5 + salt, which prevents users from setting simple passwords and cracking them easily.

Password_hash

However, what we recommend now ispassword_hash()Function, which can easily encrypt the password by adding salt, and can hardly crack the password.

$password = '123456'; var_dump(password_hash($password, PASSWORD_DEFAULT));var_dump(password_hash($password, PASSWORD_DEFAULT));

password_hashThe generated hash length is PASSWORD_BCRYPT -- 60 bits and PASSWORD_DEFAULT -- 60 bits ~ 255 bits. The value of PASSWORD_DEFAULT is related to the php version and will be equal to other values, but it does not affect usage.

Each timepassword_hashThe running results are different, so you need to usepassword_verifyFunction.

$password = '123456'; $hash = password_hash($password, PASSWORD_DEFAULT);var_dump(password_verify($password, $hash));

password_hashAll hash calculation parameters are stored in the hash result.password_get_infoObtain related information.

$password = '123456';$hash = password_hash($password, PASSWORD_DEFAULT);var_dump(password_get_info($hash));

Output

array(3) { ["algo"]=> int(1) ["algoName"]=> string(6) "bcrypt" ["options"]=> array(1) { ["cost"]=> int(10) }}

Note:Not including salt

It can be seen that my current PHP version usesPASSWORD_DEFAULTActually usedPASSWORD_BCRYPT.

password_hash($password, $algo, $options) The third parameter$options You can set a salt of at least 22 characters. However, it is strongly recommended that you use the default salt generated by PHP. Do not set the salt manually.

When you want to update the encryption algorithm and encryption options, you can use password_needs_rehash Determine whether to re-encrypt. The following code is an official example.

$options = array('cost' => 11);// Verify stored hash against plain-text passwordif (password_verify($password, $hash)){ // Check if a newer hashing algorithm is available // or the cost has changed if (password_needs_rehash($hash, PASSWORD_DEFAULT, $options)) {  // If so, create a new hash, and replace the old one  $newHash = password_hash($password, PASSWORD_DEFAULT, $options); } // Log user in}

password_needs_rehashCan be understood as a comparison$algo +$optionAndpassword_get_info($hash) Return Value.

Slow password_hash operation

password_hashIt means that the password retry times are small within the same time, and the risk of leakage is reduced.

$password = '123456';var_dump(microtime(true));var_dump(password_hash($password, PASSWORD_DEFAULT));var_dump(microtime(true)); echo "\n"; var_dump(microtime(true));var_dump(md5($password));for ($i = 0; $i < 999; $i++){ md5($password);}var_dump(microtime(true));

Output

float(1495594920.7034)string(60) "$2y$10$9ZLvgzqmiZPEkYiIUchT6eUJqebekOAjFQO8/jW/Q6DMrmWNn0PDm"float(1495594920.7818)float(1495594920.7818)string(32) "e10adc3949ba59abbe56e057f20f883e"float(1495594920.7823)

password_hashIt takes 784 milliseconds to run each time, and 5 milliseconds to run md5 for 1000 times. This is a rough comparison. It depends on the running machine, but it can be seen thatpassword_hashThe operation is indeed very slow.

Summary

The above is all the content of this article. I hope the content of this article will help you in your study or work. If you have any questions, please leave a message, thank you for your support.