"Best Practice Series" PHP developers how to do password protection & Laravel Low-level password storage and validation implementation

As online attacks increase, password security is becoming increasingly important. As a developer we are responsible for security management, computing hashes, and storing user passwords, regardless of whether the app is a simple game or a warehouse for top-secret business documents. PHP has built-in tools that make it easier to protect passwords, and in this section we discuss how to use these tools based on modern security measures.

1. Three principles of password protection

never know the user's password

We absolutely do not know the user's password, there is no way to get the user's password, if the application of the database is black, you certainly do not want to have plain text in the database or can decrypt the password. At any time, the less you know, the more secure you are.

Never constrain a user's password

If a password is required to conform to a specific pattern, it is actually a way for malicious people to attack the application, if you have to constrain the password, I recommend limiting the minimum length, the Common password or dictionary-based password to blacklist is also a good idea.

never send a user password by email

If you send a password to the user by email, the user will know three things: you know his password, you use plain text or can decrypt the way to store his password, you do not send plain text password on the internet to feel uneasy.

The Url,web app that we should send in email to set up or change the password usually generates a unique token, which is used only once when setting or changing the password (such as changing the password), usually we use this token as a parameter to set or modify the password URL, when the user accesses the URL, The app verifies that the token is valid and continues if it is valid, and after the operation completes, the token is invalidated and cannot be reused.

2. Password storage algorithm

The best practice for password storage is to calculate the hash value of the password instead of encrypting the user's password. Encryption and hashing are not the same thing, encryption is a bidirectional algorithm, encrypted data can be decrypted, and the hash is a one-way algorithm, the hashed data can no longer be restored to the original value, and the same data will always get the same hash value.

In the database to store the user's password, to calculate the hash value of the password, and then store the password hash in the database, if the hacker hacked into the database, can only see the meaningless password hash, it takes a lot of time and the NSA resources to crack.

There are many types of hashing algorithms (such as MD5, SHA1, Bcrypt, and Scrypt), some of which are fast enough to validate data integrity, and some algorithms are slow and designed to improve security. Slow, high-security algorithms are used when generating passwords and storing passwords.

At present, the safest algorithm is bcrypt, unlike MD5 and SHA1, Bcrypt deliberately designed slowly, bcrypt will automatically add salt (salt) to prevent potential rainbow table attacks, Bcrypt algorithm will spend a lot of time repeatedly processing data, generate a particularly secure hash value. In this process, the number of times the data is processed is called a work factor, the higher the value of the work factor, the longer it takes to crack the password, and the better the security. The bcrypt algorithm is never outdated, and if the computational speed of the computer becomes faster, we only need to increase the value of the work factor.

3. Password Hash API

With the previous introduction, we know that there are many things to consider when dealing with a user's password, but the PHP 5.5.0 native hash API (http://php.net/manual/zh/book.password.php) provides many easy-to-use functions. Greatly simplifies the operation of calculating password hashes and verifying passwords, and the password hash API uses the BCRPT algorithm by default.

When developing a web app, there are two places where the password hash API is used: registered users and users log in, and below we take the user registration and login provided by Laravel as an example to see how the PHP password hash API simplifies both operations.

Note: The user registration and login functions built into the LARAVAL framework use the PHP hash API for password storage and validation.

Registered Users

The user registration is done in Authcontroller, and the creation of the new user is implemented in the controller's Create method:

You can see that the helper functions provided by Laravel are used here to hash and save the password submitted by the user bcrypt to the database. The Bcrypt function is defined as follows:

Here we can see is actually called the alias as a hash of the service provider instance of the Make method to implement the hash password, into the Hashserviceprovider, in the Register method we can see the hash corresponding to the class Bcrypthasher, in the class We found the Make method:

The core here is to call the PHP-provided Password_hash function, which receives three parameters, the first is the user input password value, the second parameter is the hash algorithm used (more algorithms view: http://php.net/manual/zh/ password.constants.php), the third parameter is optional, including salt and cost two options, respectively representing the interference string (add salt) and the previously mentioned work factor, the work factor can be increased with the hardware performance, No word. Use a random salt and default work factor (the hash value is usually 0.1~0.5s). Throws an exception if the calculation fails.

User Login

In the larval to use the session in auth.php as guards, eloquent as a providers to implement user login authentication as an example (in fact, the default setting is this), the login verification will eventually go to Eloquentuserprovider Validatecredentials Method:

$this->hasher The corresponding implementation is also the Bcrypthasher class, let's look at its check method:

The first parameter passed in is the password entered by the user, the second parameter is the password hash saved when the user registers, and if the hash value is null, the Password_verify function is called, which is used to verify that the password (plain text) and hash value match. The match returns TRUE, otherwise false is returned.

Recalculate Hash Values

Through the above steps the user can already implement login authentication, but before logging in we also need to check whether the existing password hash value has expired, if expired, need to recalculate the password hash value.

Why do we have to recalculate it? Joining our app was created two years ago, when the working factor was 10, now using 20, because the computer is faster and hackers are smarter. It is possible that some users ' password hashes are still generated by the work factor of 10 o'clock, when the login authentication is passed, the Password_needs_refresh function is used to check if the existing hash value in the user record needs to be updated. This function ensures that the specified password hash is created using the latest hashing algorithm. If you do need to recalculate the hash value of the generated password, use the Make method to generate a new hash value and update the original password in the database.

This feature is not currently used in Laraval, but the corresponding function has been provided in the Bcrypthasher class:

