info/php-the-right-way
1
0
Fork 0
mirror of https://github.com/codeguy/php-the-right-way.git synced 2025-08-15 10:13:58 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #219 from Sean-Der/password_

Browse Source 
Update password hashing section
This commit is contained in:
Phil Sturgeon
2012-12-05 21:16:02 -08:00
parent 08a154248a 8b7b2ae556
commit bbb5d0346c
2 changed files with 44 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
_posts/07-03-01-Password-Hashing-with-Bcrypt.md
View File

@@ -1,19 +0,0 @@
---
isChild: true
---
## Password Hashing with Bcrypt {#password_hashing_with_bcrypt_title}
Eventually everyone builds a PHP application that relies on user login. Usernames and (hashed) passwords are stored in a database and later used to authenticate users upon login.
It is important that you properly _hash_ passwords that are stored in a database. If passwords are not hashed, and your database is hacked or accessed by an unauthorized third-party, all user accounts are now compromised.
**Hash passwords with Bcrypt**. It's super simple, and (for all intents and purposes) Bcrypt makes it impossible for someone to reverse-engineer the plain-text version of a password should the database be compromised.
There are several Bcrypt libraries for PHP that you may use.
* [Read "How to Safely Store a Password" by Coda Hale][3]
* [Use Bcrypt with PHPass][4]
[3]: http://codahale.com/how-to-safely-store-a-password/
[4]: http://www.openwall.com/phpass/

44
_posts/07-03-01-Password-Hashing.md Normal file
View File

@@ -0,0 +1,44 @@
---
isChild: true
---
## Password Hashing {#password_hashing_title}
Eventually everyone builds a PHP application that relies on user login. Usernames and passwords are stored in a database and later used to authenticate users upon login.
It is important that you properly [_hash_][3] passwords before storing them. Password hashing is an irreversible, one way function performed against the users password. This produces a fix length string that can not be feasibly reversed. This means you can compare a hash against another to determine if they both came from the same source string, but you can not determine the original string. If passwords are not hashed and your database is accessed by an unauthorized third-party, all user accounts are now compromised. Some users may (unfortunately) use the same password for other services. Therefore, it is important to take security seriously.
**Hashing passwords with `password_hash`**
In PHP 5.5 `password_hash` will be introduced. At this time it is using BCrypt, the strongest algorithm currently supported by PHP. It will updated in the future to support more algorithms as needed though. The `password_compat` library was created to provide forward compatibility for PHP >= 5.3.7.
Below we hash two strings, but because the two hashes do not match the user will be denied login.
{% highlight php %}
<?php
require 'password.php';
$hash1 = password_hash("secret-password", PASSWORD_DEFAULT);
$hash2 = password_hash("wrong-password", PASSWORD_DEFAULT);
//$hash1 == $2y$10$EjIg0Uupiwq7WeZEghz1PumEoBX3v/.eGWHaJGxCe.2tTKe90GM5e
//$hash2 == $2y$10$CxowuHb7aDogobMRbLLPDubgzMJ7oO3DErtpvpIV20tLOXY26t7Ay
if ($hash1 == $hash2) {
//Welcome!
} else {
//Wrong password
}
{% endhighlight %}
* [Learn about `password_hash`] [1]
* [`password_compat` for PHP >= 5.3.7 && < 5.5] [2]
* [Learn about hashing in regards to cryptography] [3]
* [PHP `password_hash` RFC] [4]
[1]: http://us2.php.net/manual/en/function.password-hash.php
[2]: https://github.com/ircmaxell/password_compat
[3]: http://en.wikipedia.org/wiki/Cryptographic_hash_function
[4]: https://wiki.php.net/rfc/password_hash