Password hashing security, password _php tutorial

Password hashing security, password scattered

Hash, the general translation to do "hash", there is a direct transliteration of "hash", is the arbitrary length of the input (also known as pre-mapping), through the hash algorithm, transformed into a fixed-length output, the output is the hash value.

By hashing the password and then saving it to the database, it makes it impossible for an attacker to get the original password directly, while also ensuring that your app can hash the original password the same and then hash the result.

However, password hashing only protects passwords from being stolen directly from the database and does not guarantee that malicious code injected into the app will intercept the original password.

Hashing algorithms such as MD5, SHA1, and SHA256 are designed for fast, efficient hashing. Modern computers can quickly "invert" the hash value of the above hashing algorithm, and it is not recommended to use these algorithms in password hashing.

When hashing a password, there are two factors to consider: The amount of computation and the "salt". The greater the computational weight of the hashing algorithm, the longer it takes for brute force to crack.

php5.5 provides a native password hashing API that provides a secure way to complete password hashing and validation. The Password_hash () function randomly generates "salt".

In php5.3 and later versions, you can also use the crypt () function, which supports a variety of hashing algorithms. PHP provides a corresponding native implementation, all when using this function, you need to ensure that the selected hash algorithm is supported by your system. When hashing the password, it is recommended to use the Blowfish algorithm, compared to MD5 or SHA1, this algorithm provides a higher computational capacity, but also good scalability.

Crypt (), using the Blowfish algorithm, is as follows:

if (Crypt_blowfish = = 1)    {echoCRYPT(' Rasmuslerdorf ', ' $2a$07$ usesomesillystringforsalt$ '). "\ n";}

Output:

Blowfish: $2a$07$usesomesillystringfore 2udlvp1ii2e./u9c8sbjqp8i90dh6hi

String crypt ( string $str [, string $salt ])

The Blowfish algorithm uses the following salt values: "$2a$", a two-bit cost parameter, "$", and a string of 64 bits that are combined by the characters in "./0-9a-za-z". Using a character outside of this range in the Salt value causes crypt () to return an empty string. The two-bit cost parameter is the logarithm of the number of cycles with a base of 2, and its range is 04-31, and exceeding this range will cause crypt () to fail. PHP 5.3.7 previously only supported "$2a$" as the salt value prefix, PHP 5.3.7 began to introduce a new prefix to fix a security risk in the Blowfish implementation. In summary, developers should use "$2y$" instead of "$2a$" if they are only developing for PHP 5.3.7 and later versions.

http://www.bkjia.com/PHPjc/1132197.html www.bkjia.com true http://www.bkjia.com/PHPjc/1132197.html techarticle Password hash security, password hash hash, general translation do hash, there is a direct transliteration of the hash, is the arbitrary length of the input (also known as pre-mapping), through the hashing algorithm, change into ...

