This article mainly introduces several methods for PHP to process passwords, and describes in detail the encryption and processing of passwords. if you need it, you can understand it. In PHP, user identities are often authenticated. This article is intended to discuss how to process the password, that is, how to encrypt the password.
MD5
I believe that when many PHP developers first came into contact with PHP, the preferred encryption function for password processing may be MD5. at that time, I was like this:
$password = md5($_POST["password"]);
Is the above code quite familiar? However, the MD5 encryption method is not secure at present, because its encryption algorithm is a bit simple, and many websites that crack passwords store many MD5-encrypted password strings, therefore, I do not advocate using MD5 alone to encrypt users' passwords.
SHA256 and SHA512
In fact, there is also a SHA1 encryption method in the same period as the MD5 method, but it is also a simple algorithm, so we will not introduce it here. The SHA256 and SHA512 mentioned here are both from the SHA2 family's encryption functions. you may have guessed the name, the two encryption methods generate 256 and 512-bit hash strings respectively.
Their usage is as follows:
$password = hash("sha256", $password);
PHP has a built-in hash () function. you only need to pass the encryption method to the hash () function. You can directly specify sha256, sha512, md5, sha1, and other encryption methods.
Salt value
In the encryption process, we also have a very common thing: salt value. Yes, we will add an extra string to the encrypted string during encryption to improve security and record the salt value for future comparison:
function generateHashWithSalt($password) { $intermediateSalt = md5(uniqid(rand(), true)); $salt = substr($intermediateSalt, 0, 6); return hash("sha256", $password . $salt);}
Bcrypt
Bcrypt is a good encryption method, but the Hashing API described later is better.
function generateHash($password) { if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) { $salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22); return crypt($password, $salt); }}
Bcrypt is actually a combination of Blowfish and crypt () functions. here we use CRYPT_BLOWFISH to determine whether Blowfish is available and then generate a salt value like above. However, it should be noted that crypt () the salt value must start with $ 2a $ or $ 2y $.
Password Hashing API
Here is the main story. the Password Hashing API is a new feature provided after PHP 5.5. it mainly provides the following functions for our use:
Password_hash () // encrypt the password. password_verify () // verify that the encrypted password is consistent with the hash string. password_needs_rehash () // re-encrypt the password. password_get_info () // return the encryption algorithm name and related information.
Using this set of APIs is not only simple, but also more secure, which is also the official recommendation of PHP for encryption.
$hash = password_hash($passwod, PASSWORD_DEFAULT);
PASSWORD_DEFAULT currently uses the Bcrypt encryption algorithm. Note that if your code uses the PASSWORD_DEFAULT encryption method, in the database table, the password field must be set to more than 60 characters in length. you can also use the PASSWORD_BCRYPT algorithm. the encrypted string length is always 60.
In this example, password_hash () is used. you can choose not to provide the salt and cost values. you can consider the latter as a performance consumption value. The larger the cost, the more complex the encryption algorithm is, the larger the memory consumed. Of course, if you need to specify the corresponding salt value and consumption value, you can write as follows:
$ Options = ['Salt' => custom_function_for_salt (), // use a custom function to obtain the 'cost' => 12 // the default cost is 10]; $ hash = password_hash ($ password, PASSWORD_DEFAULT, $ options );
Generally, the custom cost is good, and the salt value uses the default one.
After encryption, you only need to use it to verify that the password is correct.
<?phpif (password_verify($password, $hash)) { // Pass}else { // Invalid}
Directly use password_verify to verify the previously encrypted string (in the database.
If you want to change the encryption method, you must use the following code to re-encrypt:
If (password_needs_rehash ($ hash, PASSWORD_DEFAULT, ['cost' => 12]) {// The value of cost is 12 $ hash = password_hash ($ password, PASSWORD_DEFAULT, ['cost' => 12]); // Save the hash value again}
Only in this way can the PHP Password Hashing API know that we have replaced the encryption method to complete subsequent Password verification.
Password_get_info (). This function generally displays the following three information:
1. algo-algorithm instance
2. algoName-algorithm name
3. options-optional parameters during encryption
The above is all the content of this article. I hope it will be helpful to everyone's learning, and I hope you can support your own home.