info/php-the-right-way
1
0
Fork 0
mirror of https://github.com/codeguy/php-the-right-way.git synced 2025-08-31 00:59:53 +02:00
Code Issues Projects Releases Wiki Activity

Style consistency Round 2

Browse Source 
- spacing of jekyll tags at top of file
- line wrap at 120 chars
- url/link verification and move to bottom and order
This commit is contained in:
jrfnl
2014-12-08 05:16:00 +01:00
parent 3f66f074d5
commit 87202921c7
33 changed files with 565 additions and 399 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
_posts/10-03-01-Password-Hashing.md
View File

@@ -1,19 +1,28 @@
---
isChild: true
anchor: password_hashing
anchor: password_hashing
---
## Password Hashing {#password_hashing_title}
Eventually everyone builds a PHP application that relies on user login. Usernames and passwords are stored in a database and later used to authenticate users upon login.
Eventually everyone builds a PHP application that relies on user login. Usernames and passwords are stored in a
database and later used to authenticate users upon login.
It is important that you properly [_hash_][3] passwords before storing them. Password hashing is an irreversible, one way function performed against the user's password. This produces a fixed-length string that cannot be feasibly reversed. This means you can compare a hash against another to determine if they both came from the same source string, but you cannot determine the original string. If passwords are not hashed and your database is accessed by an unauthorized third-party, all user accounts are now compromised. Some users may (unfortunately) use the same password for other services. Therefore, it is important to take security seriously.
It is important that you properly [_hash_][3] passwords before storing them. Password hashing is an irreversible, one
way function performed against the user's password. This produces a fixed-length string that cannot be feasibly
reversed. This means you can compare a hash against another to determine if they both came from the same source string,
but you cannot determine the original string. If passwords are not hashed and your database is accessed by an
unauthorized third-party, all user accounts are now compromised. Some users may (unfortunately) use the same password
for other services. Therefore, it is important to take security seriously.
**Hashing passwords with `password_hash`**
In PHP 5.5 `password_hash` was introduced. At this time it is using BCrypt, the strongest algorithm currently supported by PHP. It will be updated in the future to support more algorithms as needed though. The `password_compat` library was created to provide forward compatibility for PHP >= 5.3.7.
In PHP 5.5 `password_hash` was introduced. At this time it is using BCrypt, the strongest algorithm currently supported
by PHP. It will be updated in the future to support more algorithms as needed though. The `password_compat` library was
created to provide forward compatibility for PHP >= 5.3.7.
Below we hash a string, and then check the hash against a new string. Because our two source strings are different ('secret-password' vs. 'bad-password') this login will fail.
Below we hash a string, and then check the hash against a new string. Because our two source strings are different
('secret-password' vs. 'bad-password') this login will fail.
{% highlight php %}
<?php
@@ -29,12 +38,12 @@ if (password_verify('bad-password', $passwordHash)) {
{% endhighlight %}
* [Learn about `password_hash`] [1]
* [`password_compat` for PHP >= 5.3.7 && < 5.5] [2]
* [`password_compat` for PHP >= 5.3.7 && < 5.5] [2]
* [Learn about hashing in regards to cryptography] [3]
* [PHP `password_hash` RFC] [4]
[1]: http://php.net/function.password-hash
[2]: https://github.com/ircmaxell/password_compat
[3]: http://en.wikipedia.org/wiki/Cryptographic_hash_function