Several Ways to Handle Passwords in PHP_PHP Tutorial

Several ways for PHP to handle passwords

When using PHP to develop web applications, many applications will require users to register, and when registering, we need the user’s information After processing, the most common ones are email addresses and passwords. This article is intended to discuss the processing of passwords: that is, the encryption of passwords.

MD5

I believe that when many PHP developers first came into contact with PHP, the preferred encryption function for handling passwords might be MD5. This is what I thought at the time:

$password = md5($_POST["password"]);

Is the above code very familiar? However, the MD5 encryption method seems to be not very popular in the PHP world at present, because its encryption algorithm is really a bit simple, and many password cracking sites have There are a lot of password strings encrypted by MD5, so here I strongly discourage using MD5 alone to encrypt user passwords.

SHA256 and SHA512

In fact, there is a SHA1 encryption method at the same time as the previous MD5, but the algorithm is relatively simple, so I will briefly mention it here. The SHA256 and SHA512 we are about to talk about here are both encryption functions from the SHA2 family. You may have guessed it by looking at the names. These two encryption methods generate hash strings of 256 and 512 bit length respectively.

How to use them is as follows:

$password = hash("sha256", $password);

PHP has a built-in hash() function. You only need to pass the encryption method to the hash() function. You can directly specify sha256, sha512, md5, sha1 and other encryption methods.

Salt value

In the encryption process, we also have a very common little partner: salt value. Yes, when we encrypt, we will actually add an extra string to the encrypted string to achieve a certain level of security:

Function generateHashWithSalt($password) {

$intermediateSalt = md5(uniqid(rand(), true));

　$salt = substr($intermediateSalt, 0, 6);

return hash("sha256", $password . $salt);

　}

Bcrypt

If I were to suggest an encryption method, Bcrypt may be the minimum requirement I recommend to you, because I will strongly recommend the Hashing API that you will talk about later, but Bcrypt is also a relatively good encryption. way.

Function generateHash($password) {

　if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {

　$salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);

return crypt($password, $salt);

　}

　}

Bcrypt is actually a combination of Blowfish and crypt() functions. Here we use CRYPT_BLOWFISH to determine whether Blowfish is available, and then generate a salt value as above. However, it should be noted here that the salt value of crypt() must be $2a $ or $2y$, please refer to the link below for detailed information:

　http://www.php.net/security/crypt_blowfish.php

More information can be found here:

http://php.net/manual/en/function.crypt.php

Password Hashing API

Here is our highlight. Password Hashing API is a new feature only available after PHP 5.5. It mainly provides the following functions for us to use:

Password_hash() – Encrypt the password.

password_verify() – Verify the encrypted password and check whether the hash string is consistent.

Password_needs_rehash() – Re-encrypt passwords.

Password_get_info() – Returns the name of the encryption algorithm and some related information.

Although the crypt() function is sufficient for use, password_hash() not only makes our code shorter, but also gives us better security protection. Therefore, it is now officially recommended by PHP This method is used to encrypt the user's password. Many popular frameworks such as Laravel use this encryption method.

　$hash = password_hash($passwod, PASSWORD_DEFAULT);

Yes, it’s that simple, one line of code, All done.

PASSWORD_DEFAULT is currently using Bcrypt, so I would recommend this above. However, because Password Hashing API does a better job, I must solemnly recommend Password Hashing API to you. What needs to be noted here is that if your code uses the PASSWORD_DEFAULT encryption method, then in the database table, the password field must be set to more than 60 characters in length. You can also use PASSWORD_BCRYPT. In this case, the encrypted string will always be 60 characters in length.

When using password_hash() here, you don’t have to provide the salt value (salt) and the consumption value (cost). You can understand the latter as a performance consumption value. The larger the cost, the more complex the encryption algorithm is, and the more expensive it is. The memory will be larger. Of course, if you need to specify the corresponding salt value and consumption value, you can write like this:

　$options = [

　'salt' => custom_function_for_salt(), //write your own code to generate a suitable salt

　'cost' => 12 // the default cost is 10

　];

$hash = password_hash($password, PASSWORD_DEFAULT, $options);

After the password is encrypted, we need to verify the password to determine whether the password entered by the user is correct:

　if (password_verify($password, $hash)) {

// Pass

　}

else {

// Invalid

　}

It’s very simple. Just use password_verify to verify our previously encrypted string (stored in the database).

However, if sometimes we need to change our encryption method, such as one day we suddenly want to change the salt value or increase the consumption value, we will use the password_needs_rehash() function at this time:

　if (password_needs_rehash($hash, PASSWORD_DEFAULT, ['cost' => 12])) {

　// cost change to 12

　$hash = password_hash($password, PASSWORD_DEFAULT, ['cost' => 12]);

// don't forget to store the new hash!

　}

Only in this way will PHP’s Password Hashing API know that we have changed the encryption method again. The main purpose of this is for subsequent password verification.

Simply put password_get_info(), this function can generally see the following three pieces of information:

algo – algorithm example

algoName – Algorithm name

options - optional parameters during encryption

So, start using PHP 5.5 now, and don’t worry about lower versions anymore.