info/php-the-right-way
1
0
Fork 0
mirror of https://github.com/codeguy/php-the-right-way.git synced 2025-08-21 12:52:01 +02:00
Code Issues Projects Releases Wiki Activity

Update Security links with https

Browse Source
This commit is contained in:
Josh Lockhart
2018-06-19 14:44:20 -04:00
parent f8278e5357
commit 1b9ebc9672
5 changed files with 22 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
_posts/10-03-01-Password-Hashing.md
View File

@@ -12,13 +12,13 @@ It is important that you properly [_hash_][3] passwords before storing them. Pas
one-way function performed against the user's password. This produces a fixed-length string that cannot be feasibly
reversed. This means you can compare a hash against another to determine if they both came from the same source string,
but you cannot determine the original string. If passwords are not hashed and your database is accessed by an
unauthorized third-party, all user accounts are now compromised.
unauthorized third-party, all user accounts are now compromised.
Passwords should also be individually [_salted_][5] by adding a random string to each password before hashing. This prevents dictionary attacks and the use of "rainbow tables" (a reverse list of crytographic hashes for common passwords.)
Hashing and salting are vital as often users use the same password for multiple services and password quality can be poor.
Hashing and salting are vital as often users use the same password for multiple services and password quality can be poor.
Fortunately, nowadays PHP makes this easy.
Fortunately, nowadays PHP makes this easy.
**Hashing passwords with `password_hash`**
@@ -40,9 +40,9 @@ if (password_verify('bad-password', $passwordHash)) {
} else {
// Wrong password
}
{% endhighlight %}
{% endhighlight %}
`password_hash()` takes care of password salting for you. The salt is stored, along with the algorithm and "cost", as part of the hash. `password_verify()` extracts this to determine how to check the password, so you don't need a separate database field to store your salts.
`password_hash()` takes care of password salting for you. The salt is stored, along with the algorithm and "cost", as part of the hash. `password_verify()` extracts this to determine how to check the password, so you don't need a separate database field to store your salts.
* [Learn about `password_hash()`] [1]
* [`password_compat` for PHP >= 5.3.7 && < 5.5] [2]
@@ -51,8 +51,8 @@ if (password_verify('bad-password', $passwordHash)) {
* [PHP `password_hash()` RFC] [4]
[1]: http://php.net/function.password-hash
[1]: https://secure.php.net/function.password-hash
[2]: https://github.com/ircmaxell/password_compat
[3]: http://en.wikipedia.org/wiki/Cryptographic_hash_function
[3]: https://wikipedia.org/wiki/Cryptographic_hash_function
[4]: https://wiki.php.net/rfc/password_hash
[5]: https://en.wikipedia.org/wiki/Salt_(cryptography)
[5]: https://wikipedia.org/wiki/Salt_(cryptography)