Password hashing security, password _php tutorial

Source: Internet
Author: User
Tags crypt sha1

Password hashing security, password scattered


Hash, the general translation to do "hash", there is a direct transliteration of "hash", is the arbitrary length of the input (also known as pre-mapping), through the hash algorithm, transformed into a fixed-length output, the output is the hash value.

By hashing the password and then saving it to the database, it makes it impossible for an attacker to get the original password directly, while also ensuring that your app can hash the original password the same and then hash the result.

However, password hashing only protects passwords from being stolen directly from the database and does not guarantee that malicious code injected into the app will intercept the original password.

Hashing algorithms such as MD5, SHA1, and SHA256 are designed for fast, efficient hashing. Modern computers can quickly "invert" the hash value of the above hashing algorithm, and it is not recommended to use these algorithms in password hashing.

When hashing a password, there are two factors to consider: The amount of computation and the "salt". The greater the computational weight of the hashing algorithm, the longer it takes for brute force to crack.

php5.5 provides a native password hashing API that provides a secure way to complete password hashing and validation. The Password_hash () function randomly generates "salt".

In php5.3 and later versions, you can also use the crypt () function, which supports a variety of hashing algorithms. PHP provides a corresponding native implementation, all when using this function, you need to ensure that the selected hash algorithm is supported by your system. When hashing the password, it is recommended to use the Blowfish algorithm, compared to MD5 or SHA1, this algorithm provides a higher computational capacity, but also good scalability.

Crypt (), using the Blowfish algorithm, is as follows:

if (Crypt_blowfish = = 1)    {echoCRYPT(' Rasmuslerdorf ', ' $2a$07$ usesomesillystringforsalt$ '). "\ n";}

Output:

Blowfish: $2a$07$usesomesillystringfore 2udlvp1ii2e./u9c8sbjqp8i90dh6hi

String crypt ( string $str [, string $salt ])

The Blowfish algorithm uses the following salt values: "$2a$", a two-bit cost parameter, "$", and a string of 64 bits that are combined by the characters in "./0-9a-za-z". Using a character outside of this range in the Salt value causes crypt () to return an empty string. The two-bit cost parameter is the logarithm of the number of cycles with a base of 2, and its range is 04-31, and exceeding this range will cause crypt () to fail. PHP 5.3.7 previously only supported "$2a$" as the salt value prefix, PHP 5.3.7 began to introduce a new prefix to fix a security risk in the Blowfish implementation. In summary, developers should use "$2y$" instead of "$2a$" if they are only developing for PHP 5.3.7 and later versions.

http://www.bkjia.com/PHPjc/1132197.html www.bkjia.com true http://www.bkjia.com/PHPjc/1132197.html techarticle Password hash security, password hash hash, general translation do hash, there is a direct transliteration of the hash, is the arbitrary length of the input (also known as pre-mapping), through the hashing algorithm, change into ...

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.