PHP more Secure password encryption mechanism bcrypt text

This article mainly introduces to you about PHP more secure password encryption mechanism Bcrypt related information, the article introduced in very detailed, for everyone has a certain reference learning value, the need for friends below to learn together.

Objective

We often in order to avoid attacks on the server, the database is dragged library, the user's plaintext password is not compromised, the password is generally one-way irreversible encryption-hash.

The Common way is:

Hash mode	Encrypt password
MD5 (' 123456 ')	e10adc3949ba59abbe56e057f20f883e
MD5 (' 123456 '. ($salt = ' salt ')	207acd61a3c1bd506d7e9a4535359f8a
SHA1 (' 123456 ')	40-bit ciphertext
Hash (' sha256 ', ' 123456 ')	64-bit ciphertext
Hash (' sha512 ', ' 123456 ')	128-bit ciphertext

The longer the cipher, the longer it takes to run the pool on the same machine, the more secure it is.

The more common hashing method is MD5 + salt, which avoids the user setting a simple password and is easily cracked.

Password_hash

However, it is now recommended that the password_hash() function is easy to add salt encryption to the password, and can hardly be cracked.

$password = ' 123456 '; Var_dump (Password_hash ($password, Password_default)); Var_dump (Password_hash ($password, Password_default));

password_hashThe resulting hash length is password_bcrypt--60 bit, password_default--60 bit ~ 255 bits. The Password_default value is related to the PHP version, which is equal to the other values, but does not affect the use.

Each password_hash run has a different result, so you need to use a password_verify function for validation.

$password = ' 123456 '; $hash = Password_hash ($password, Password_default); Var_dump (Password_verify ($password, $hash));

password_hashAll parameters of the hash are stored in the hash result, which can be used to password_get_info obtain relevant information.

$password = ' 123456 '; $hash = Password_hash ($password, Password_default); Var_dump (Password_get_info ($hash));

Output

Array (3) {["Algo"]=> int (1) ["AlgoName"]=> string (6) "Bcrypt" ["Options"]=> Array (1) {["Cost"]=> int (10)}}

Note: salt is not included

You can see that my current version of PHP usage PASSWORD_DEFAULT is actually used PASSWORD_BCRYPT .

password_hash($password, $algo, $options) The third parameter $options supports setting a salt of at least 22 bits. However, it is still strongly recommended to use the default salt generated by PHP, and do not actively set salt.

When you want to update the encryption algorithm and encryption options, you can password_needs_rehash determine if you need to re-encrypt, the following code is an official example

$options = Array (' cost ' = =);//Verify stored hash against Plain-text passwordif (Password_verify ($password, $hash)) { Check if a newer hashing algorithm is available//or the cost has changed if (Password_needs_rehash ($hash, Password_d Efault, $options)) {  //If So, create a new hash, and replace the old one  $newHash = Password_hash ($password, PASS Word_default, $options); }//Log user in}

password_needs_rehashCan be understood as comparing $algo + $option and password_get_info($hash) return values.

Password_hash Operation Slow

password_hashis known to run slowly, which means that at the same time, the number of password retries is low and the risk of leakage is reduced.

$password = ' 123456 '; Var_dump (Microtime (true)); Var_dump (Password_hash ($password, Password_default)); Var_dump ( Microtime (true)); echo "\ n"; Var_dump (Microtime (true)); Var_dump (MD5 ($password)); for ($i = 0; $i < 999; $i + +) {MD5 ($password);} Var_dump (Microtime (true));

Output

Float (1495594920.7034) string "$2Y$10$9ZLVGZQMIZPEKYIIUCHT6EUJQEBEKOAJFQO8/JW/Q6DMRMWNN0PDM" float ( 1495594920.7818) Float (1495594920.7818) string (+) "e10adc3949ba59abbe56e057f20f883e" float (1495594920.7823)

password_hashIt takes 784 milliseconds to run, and it takes 5 milliseconds for the MD5 to run 1000 times. This is a very rough comparison, which is related to running the machine, but it can also be seen that the password_hash operation is really very slow.

Related recommendations:

PHP password encryption mechanism bcrypt detailed

Bcrypt Introduction to--php more secure password encryption mechanism

PHP bcrypt password Encryption mechanism detailed