Several methods of password encryption in PHP

Source: Internet
Author: User
Tags crypt sha1 encryption
This article mainly introduces several methods for implementing password encryption in PHP. If you need it, refer to this article.

This article mainly introduces several methods for implementing password encryption in PHP. If you need it, refer to this article.

PHP develops WEB applications and often completes user registration information. The registration information includes email address and password verification issues. This article mainly focuses on password encryption technicians.


I believe that when many PHP developers first came into contact with PHP, the preferred encryption function for password processing may be MD5. At that time, I was like this:

The Code is as follows:

$ Password = md5 ($ _ POST ["password"]);

Is the above Code quite familiar? However, the MD5 encryption method is currently not very popular in PHP, because its encryption algorithm is actually a bit simple, in addition, many password cracking sites store a lot of MD5-encrypted password strings, so I do not advocate using MD5 alone to encrypt users' passwords.

SHA256 and SHA512

In fact, there is also a SHA1 encryption method in the same period as the MD5 method, but it is also a simple algorithm, so let's take it over here. The SHA256 and SHA512 mentioned here are both from the SHA2 family's encryption functions. You may have guessed the name, the two encryption methods generate 256 and 512-bit hash strings respectively.

Their usage is as follows:

The Code is as follows:

<? Php
$ Password = hash ("sha256", $ password );

PHP has a built-in hash () function. You only need to pass the encryption method to the hash () function. You can directly specify sha256, sha512, md5, sha1, and other encryption methods.

Salt Value

In the encryption process, we also have a very common friend: salt value. Yes, we will add an extra string to the encrypted string during encryption to improve security:

The Code is as follows:

<? Php
Function generateHashWithSalt ($ password ){
$ IntermediateSalt = md5 (uniqid (rand (), true ));
$ Salt = substr ($ intermediateSalt, 0, 6 );
Return hash ("sha256", $ password. $ salt );


If I suggest an encryption method, Bcrypt may be the minimum requirement I recommend for you, because I will strongly recommend the Hashing API that you will discuss later, however, Bcrypt is also a good encryption method.

The Code is as follows:

<? Php
Function generateHash ($ password ){
$ Salt = '$ 2y $11 $'. substr (md5 (uniqid (rand (), true), 0, 22 );
Return crypt ($ password, $ salt );

Bcrypt is actually a combination of Blowfish and crypt () functions. Here we use CRYPT_BLOWFISH to determine whether Blowfish is available and then generate a salt value like above. However, it should be noted that crypt () the salt value must start with $ 2a $ or $ 2y $. For more information, see the following link:

For more information, see:

Password Hashing API

Here is the main story. The Password Hashing API is a new feature provided after PHP 5.5. It mainly provides the following functions for our use:

The Code is as follows:

Password_hash ()-encrypt the password.
Password_verify ()-verify the encrypted password and verify that its hash string is consistent.
Password_needs_rehash ()-re-encrypt the password.
Password_get_info ()-return the encryption algorithm name and related information.

Although the crypt () function is sufficient, password_hash () not only makes our code shorter, but also provides us with better security protection, currently, PHP officially recommends this method to encrypt users' passwords. Many popular frameworks such as Laravel use this method.

The Code is as follows:

<? Php
$ Hash = password_hash ($ passwod, PASSWORD_DEFAULT );

Yes, that's just a simple line of code, All done.

PASSWORD_DEFAULT currently uses Bcrypt, so I will recommend this on it, but because the Password Hashing API is better, I must seriously think that you would recommend the Password Hashing API. Note that if your code uses the PASSWORD_DEFAULT encryption method, you must set the password field to exceed 60 characters in the database table. You can also use PASSWORD_BCRYPT, at this time, the encrypted string is always 60 characters in length.

In this example, password_hash () is used. You can choose not to provide the salt and cost values. You can consider the latter as a performance consumption value. The larger the cost, the more complex the encryption algorithm is, the larger the memory consumed. Of course, if you need to specify the corresponding salt value and consumption value, you can write as follows:

<? Php $ options = ['salt' => custom_function_for_salt (), // write your own code to generate a suitable salt 'cost' => 12 // the default cost is 10]; $ hash = password_hash ($ password, PASSWORD_DEFAULT, $ options );

After the password is encrypted, we need to verify the password to determine whether the password entered by the user is correct:

<? Phpif (password_verify ($ password, $ hash) {// Pass} else {// Invalid}

It's easy. Simply use password_verify to verify the previously encrypted string (in the database.

However, if we sometimes need to change our encryption method, for example, if we suddenly want to change the salt value or increase the consumption value one day, we need to use the password_needs_rehash () function at this time:

<? Phpif (password_needs_rehash ($ hash, PASSWORD_DEFAULT, ['cost' => 12]) {// cost change to 12 $ hash = password_hash ($ password, PASSWORD_DEFAULT, ['cost' => 12]); // don't forget to store the new hash !}

Only in this way will the PHP Password Hashing API know that we have replaced the encryption method again. The main purpose of this method is to verify the Password later.

To put it simply, password_get_info (), this function can see the following three information:

Algo-algorithm instance
AlgoName-algorithm name
Options-optional parameters during encryption

Based on the above content, I personally suggest using PHP5.5 for better use. I hope you will like the content above.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.