Password hash security, password hash
Hash is usually translated as "hash", and is also directly translated as "hash", that is, input of any length (also called pre- ing), through the hash algorithm, convert to a fixed-length output, which is a hash value.
By hashing the password and saving it to the database, attackers cannot directly obtain the original password, at the same time, you can ensure that your application can perform the same hash processing on the original password and then compare the hash results.
However, the password hash can only protect the password from being directly stolen from the database, and cannot ensure that malicious code injected into the application is blocked to the original password.
Hash algorithms such as MD5, sha1, and sha256 are designed for fast and efficient hash processing. Modern computers can quickly "reverse" the hash values of the hash algorithms mentioned above. We do not recommend using these algorithms in cryptographic hashing.
There are two factors that must be taken into account when performing Password Hashing: calculation amount and "salt ". The larger the computing workload of the hash algorithm, the longer it takes for brute force cracking.
Php5.5 provides a native Password Hashing API, which provides a secure way to complete password hashing and verification. The password_hash () function randomly generates "salt ".
In php5.3 and later versions, you can also use the crypt () function, which supports multiple hash algorithms. Php provides the corresponding native implementation. When using this function, you must ensure that the selected hash algorithm is supported by your system. We recommend that you use the Blowfish algorithm to hash passwords. Compared with MD5 or sha1, this algorithm provides higher computing workload and provides good scalability.
Crypt (), using the Blowfish algorithm, as follows:
if (CRYPT_BLOWFISH == 1) { echo 'Blowfish: ' . crypt('rasmuslerdorf', '$2a$07$usesomesillystringforsalt$') . "\n";}
Output:
Blowfish: $2a$07$usesomesillystringfore2uDLvp1Ii2e./U9C8sBjqp8I90dH6hi
StringCrypt(String$str
[, String$salt
])
The Blowfish algorithm uses the following salt value: "$ 2a $", a two-character cost parameter, "$", and a 64-bit string consisting of characters in "./0-9A-Za-z. Using a character out of this range in the salt value causes crypt () to return an empty string. The two cost parameters are the base 2 logarithm of the number of loops, and the value range is 04-31. exceeding this range will cause crypt () to fail. Before PHP 5.3.7, only "$ 2a $" was supported as the prefix of the salt value. PHP 5.3.7 introduced a new prefix to fix a security risk in Blowfish implementation. All in all, if developers only develop PHP 5.3.7 and later versions, they should use "$ 2y $" instead of "$ 2a $ ".