PHP handles passwords in several ways "reproduced"

Transferred from: http://www.3lian.com/edu/2015/08-01/235322.html

In the use of PHP to develop Web applications, many applications will require users to register, and the registration of the time we need to deal with the user's information, the most common is the mailbox and password, this article is intended to discuss the processing of the password: that is, the encryption of the password processing.

MD5

I believe that many PHP developers in the first contact with PHP, the first cryptographic function to handle the password may be MD5, I was like this:

$password = MD5 ($_post["password"]);

Is the above code familiar? However, the MD5 encryption method is currently in the Lake of PHP is not very popular, because its encryption algorithm is a bit simple, and many of the site to crack passwords are stored a lot of MD5 encrypted password string, So here I am not advocating the use of MD5 to encrypt the user's password alone.

SHA256 and SHA512

In fact, with the previous MD5 the same time there is a SHA1 encryption method, but also the algorithm is relatively simple, so here is a stroke of it. And here is going to talk about the SHA256 and SHA512 are from the SHA2 family of cryptographic functions, look at the name may you guessed out, the two encryption methods to generate 256 and 512 bits of the length of the hash string.

They are used in the following ways:

$password = Hash ("sha256", $password);

PHP has built-in hash () function, you just need to pass the encryption method to the hash () function just fine. You can directly specify SHA256, SHA512, MD5, SHA1 and other encryption methods.

Salt value

In the process of encryption, we also have a very common small partner: Salt values. Yes, when we encrypt, we actually add an extra string to the encrypted string for the purpose of increasing security:

function Generatehashwithsalt ($password) {

$intermediateSalt = MD5 (Uniqid (rand (), true));

$salt = substr ($intermediateSalt, 0, 6);

Return hash ("sha256", $password. $salt);

}

Bcrypt

If I were to suggest an encryption, Bcrypt might be the minimum I recommend to you, because I would strongly recommend the Hashing API you'll be talking about later, but Bcrypt is a good way to encrypt.

function Generatehash ($password) {

if (Defined ("Crypt_blowfish") && crypt_blowfish) {

$salt = ' $2y$11$ '. SUBSTR (MD5 (Uniqid (rand (), true)), 0, 22);

Return crypt ($password, $salt);

}

}

Bcrypt is actually a combination of Blowfish and crypt () functions, where we can determine whether Blowfish is available by crypt_blowfish, and then generate a salt value as above, but it is important to note that the salt value of crypt () must be $2a$ or For more information, refer to the following link: $2y$

http://www.php.net/security/crypt_blowfish.php

More information can be seen here:

http://php.net/manual/en/function.crypt.php

Password Hashing API

Here is our play, Password Hashing API is a new feature after PHP 5.5, it mainly provides the following functions for us to use:

Password_hash () – Encrypt the password.

Password_verify () – verifies that a password has been encrypted to verify that its hash string is consistent.

Password_needs_rehash () – Re-encrypt the password.

Password_get_info () – Returns the name of the cryptographic algorithm and some related information.

Although the crypt () function is sufficient to use, but Password_hash () not only can make our code shorter, but also in the security to give us better protection, so now the official PHP is recommended this way to encrypt the user's password, a lot of popular frameworks such as Laravel is the type of encryption that is used.

$hash = Password_hash ($passwod, Password_default);

Yes, it's that simple, a line of code, all done.

Password_default is currently using Bcrypt, so I would say recommend this, but because PASSWORD Hashing API do better, I must solemnly think you recommend PASSWORD Hashing API. It is important to note that if your code is using Password_default encryption, then in the database table, the PASSWORD field must be set more than 60 characters in length, you can also use Password_bcrypt, this time, After encryption, the string is always 60 characters long.

Here Password_hash () you can completely not provide salt and consumption value (cost), you can understand the latter as a performance of the consumption value, the greater the cost, the more complex the encryption algorithm, the more memory consumed. Of course, if you need to specify the corresponding salt value and consumption value, you can write:

$options = [

' Salt ' = Custom_function_for_salt (),//write your own code to generate a suitable salt

' Cost ' = +//The default cost is 10

];

$hash = Password_hash ($password, Password_default, $options);

After the password is encrypted, we need to verify the password to determine if the user entered the correct password:

if (Password_verify ($password, $hash)) {

Pass

}

else {

Invalid

}

Quite simply, using password_verify directly validates the string that we have previously encrypted (in the database that exists).

However, if there are times when we need to change our encryption, such as a day when we suddenly want to change the salt value or increase the consumption value, we are going to use the Password_needs_rehash () function at this time:

if (Password_needs_rehash ($hash, Password_default, [' cost ' = 12])) {

Cost Change to 12

$hash = Password_hash ($password, Password_default, [' cost ' = 12]);

Don ' t forget to store the new hash!

}

Only in this way, the PHP Password Hashing API will know that we re-replaced the encryption method, so that the main purpose is to verify the password later.

Simply say Password_get_info (), this function generally can see the following three information:

algo– Algorithm Example

algoname– algorithm Name

Optional parameters for options– encryption

So, start with PHP 5.5 now, and stop obsessing about the lower version.

PHP handles passwords in several ways "reproduced"