This article mainly introduces to you about PHP more secure password encryption mechanism Bcrypt related information, the article introduced in very detailed, for everyone has a certain reference learning value, the need for friends below to learn together.
Objective
We often in order to avoid attacks on the server, the database is dragged library, the user's plaintext password is not compromised, the password is generally one-way irreversible encryption-hash.
The Common way is:
Hash mode |
Encrypt password |
MD5 (' 123456 ') |
e10adc3949ba59abbe56e057f20f883e |
MD5 (' 123456 '. ($salt = ' salt ') |
207acd61a3c1bd506d7e9a4535359f8a |
SHA1 (' 123456 ') |
40-bit ciphertext |
Hash (' sha256 ', ' 123456 ') |
64-bit ciphertext |
Hash (' sha512 ', ' 123456 ') |
128-bit ciphertext |
The longer the cipher, the longer it takes to run the pool on the same machine, the more secure it is.
The more common hashing method is MD5 + salt, which avoids the user setting a simple password and is easily cracked.
Password_hash
However, it is now recommended that the password_hash()
function is easy to add salt encryption to the password, and can hardly be cracked.
$password = ' 123456 '; Var_dump (Password_hash ($password, Password_default)); Var_dump (Password_hash ($password, Password_default));
password_hash
The resulting hash length is password_bcrypt--60 bit, password_default--60 bit ~ 255 bits. The Password_default value is related to the PHP version, which is equal to the other values, but does not affect the use.
Each password_hash
run has a different result, so you need to use a password_verify
function for validation.
$password = ' 123456 '; $hash = Password_hash ($password, Password_default); Var_dump (Password_verify ($password, $hash));
password_hash
All parameters of the hash are stored in the hash result, which can be used to password_get_info
obtain relevant information.
$password = ' 123456 '; $hash = Password_hash ($password, Password_default); Var_dump (Password_get_info ($hash));
Output
Array (3) {["Algo"]=> int (1) ["AlgoName"]=> string (6) "Bcrypt" ["Options"]=> Array (1) {["Cost"]=> int (10)}}
Note: salt is not included
You can see that my current version of PHP usage PASSWORD_DEFAULT
is actually used PASSWORD_BCRYPT
.
password_hash($password, $algo, $options)
The third parameter $options
supports setting a salt of at least 22 bits. However, it is still strongly recommended to use the default salt generated by PHP, and do not actively set salt.
When you want to update the encryption algorithm and encryption options, you can password_needs_rehash
determine if you need to re-encrypt, the following code is an official example
$options = Array (' cost ' = =);//Verify stored hash against Plain-text passwordif (Password_verify ($password, $hash)) { Check if a newer hashing algorithm is available//or the cost has changed if (Password_needs_rehash ($hash, Password_d Efault, $options)) { //If So, create a new hash, and replace the old one $newHash = Password_hash ($password, PASS Word_default, $options); }//Log user in}
password_needs_rehash
Can be understood as comparing $algo
+ $option
and password_get_info($hash)
return values.
Password_hash Operation Slow
password_hash
is known to run slowly, which means that at the same time, the number of password retries is low and the risk of leakage is reduced.
$password = ' 123456 '; Var_dump (Microtime (true)); Var_dump (Password_hash ($password, Password_default)); Var_dump ( Microtime (true)); echo "\ n"; Var_dump (Microtime (true)); Var_dump (MD5 ($password)); for ($i = 0; $i < 999; $i + +) {MD5 ($password);} Var_dump (Microtime (true));
Output
Float (1495594920.7034) string "$2Y$10$9ZLVGZQMIZPEKYIIUCHT6EUJQEBEKOAJFQO8/JW/Q6DMRMWNN0PDM" float ( 1495594920.7818) Float (1495594920.7818) string (+) "e10adc3949ba59abbe56e057f20f883e" float (1495594920.7823)
password_hash
It takes 784 milliseconds to run, and it takes 5 milliseconds for the MD5 to run 1000 times. This is a very rough comparison, which is related to running the machine, but it can also be seen that the password_hash
operation is really very slow.
Related recommendations:
PHP password encryption mechanism bcrypt detailed
Bcrypt Introduction to--php more secure password encryption mechanism
PHP bcrypt password Encryption mechanism detailed