This article mainly introduces several methods for PHP to process passwords. it introduces in detail the encryption and processing of passwords. in our daily development, we often encrypt our passwords, when many PHP developers first came into contact with PHP, the preferred encryption function for password processing may be MD5, which is what I did at the time:
$password = md5($_POST["password"]);
The MD5 encryption method is the most common encryption method, but now the MD5 encryption method is not secure, because its encryption algorithm is actually a bit simple, in addition, many password cracking sites store a lot of MD5
The encrypted password string, so I do not advocate using MD5 to encrypt the user's password.
In addition to our md5 encryption, the editor will collect several other encryption methods in PHP for you today.
I. SHA256 and SHA512
In fact, there is also a SHA1 encryption method in the same period as the MD5 method, but it is also a simple algorithm, so we will not introduce it here. SHA256 and SHA512 are both from the SHA2 family's encryption functions.
You may have guessed it. the Two encryption methods generate hash strings of 256 and 512 bits respectively.
Their usage is as follows:
$password = hash("sha256", $password);
PHP has a built-in hash () function. you only need to pass the encryption method to the hash () function. You can directly specify sha256, sha512, md5, sha1, and other encryption methods.
II. salt value
In the encryption process, we also have a very common thing: salt value. Yes, we will add an extra string to the encrypted string during encryption to improve security and record the salt value for future convenience.
Comparison:
function generateHashWithSalt($password) { $intermediateSalt = md5(uniqid(rand(), true)); $salt = substr($intermediateSalt, 0, 6); return hash("sha256", $password . $salt);}
III. Bcrypt
Bcrypt is a good encryption method, but the Hashing API described later is better.
function generateHash($password) { if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) { $salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22); return crypt($password, $salt); }}
Bcrypt is actually a combination of Blowfish and crypt () functions. here we use CRYPT_BLOWFISH to determine whether Blowfish is available and then generate a salt value like above. However, it should be noted that crypt () the salt value must start with $ 2a $ or $ 2y $.
IV. Password Hashing API
Here is the main story. the Password Hashing API is a new feature provided after PHP 5.5. it mainly provides the following functions for our use:
Password_hash () // encrypt the password. password_verify () // verify that the encrypted password is consistent with the hash string. password_needs_rehash () // re-encrypt the password. password_get_info () // return the encryption algorithm name and related information.
Using this set of APIs is not only simple, but also more secure, which is also the official recommendation of PHP for encryption.
$ Hash = password_hash ($ passwod, PASSWORD_DEFAULT );
PASSWORD_DEFAULT currently uses the Bcrypt encryption algorithm. Note that if your code uses the PASSWORD_DEFAULT encryption method, you must set the password field in the database table to exceed
You can also use the PASSWORD_BCRYPT algorithm to encrypt a string of 60 characters.
In this example, password_hash () is used. you can choose not to provide the salt and cost values. you can consider the latter as a performance consumption value. The larger the cost, the more complex the encryption algorithm is, the larger the memory consumed. Of course, if you need
Specify the corresponding salt value and consumption value. you can write as follows:
$ Options = ['Salt' => custom_function_for_salt (), // use a custom function to obtain the 'cost' => 12 // the default cost is 10]; $ hash = password_hash ($ password, PASSWORD_DEFAULT, $ options );
Generally, the custom cost is good, and the salt value uses the default one.
After encryption, you only need to use it to verify that the password is correct.
Directly use password_verify to verify the previously encrypted string (in the database.
If you want to change the encryption method, you must use the following code to re-encrypt:
If (password_needs_rehash ($ hash, PASSWORD_DEFAULT, ['cost' => 12]) {// The value of cost is 12 $ hash = password_hash ($ password, PASSWORD_DEFAULT, ['cost' => 12]); // Save the hash value again}
Only in this way can the PHP Password Hashing API know that we have replaced the encryption method to complete subsequent Password verification.
Password_get_info (). This function generally displays the following three information:
1. algo-algorithm instance
2. algoName-algorithm name
3. options-optional parameters during encryption
The above is all the content of this article. I hope it will help you learn and support PHP.
More good articles, all in PHP ......