Using bcrypt is the currently accepted best practice for hashing passwords, but a large number of developers still use older and weaker algorithms like MD5 and SHA1. Some developers don’t even use a salt while hashing. The new hashing API in PHP 5.5 aims to draw attention towards bcrypt while hiding its complexity. In this article I’ll cover the basics of using PHP’s new hashing API. The new password hashing API exposes four simple functions: password_hash() – used to hash the password. password_verify() – used to verify a password against its hash. password_needs_rehash() – used when a password needs to be rehashed. password_get_info() – returns the name of the hashing algorithm and various options used while hashing. password_hash() Although the crypt() function is secure, it’s considered by many to be too complicated and prone to programmer error. Some developers then use a weak salt and weak algorithm for generating a hash instead, for example: custom_function_for_salt(), //write your own code to generate a suitable salt 'cost' => 12 // the default cost is 10 ]; $hash = password_hash($password, PASSWORD_DEFAULT, $options); In this way, you are always up-to-date with new security measures. If PHP later decides to implement a more powerful hashing algorithm your code can take advantage of it. password_verify() Now that you have seen how to generate hashes with the new API, let’s see how to verify a password. Remember that you store the hashes in a database, but it’s the plain password that you get when a user logs in. The password_verify() function takes a plain password and the hashed string as its two arguments. It returns true if the hash matches the specified password. 12])) { // the password needs to be rehashed as it was not generated with // the current default algorithm or not created with the cost // parameter 12 $hash = password_hash($password, PASSWORD_DEFAULT, ['cost' => 12]); // don't forget to store the new hash! } Keep in mind that you’ll need to do this when the user tries to login to your website as this is only time you have access to the plain password. password_get_info() password_get_info() accepts a hash and returns an associative array of three elements: algo – a constant that identifies a particular algorithm algoName – the name of the algorithm used options – various options used while generating the hash Conclusion The new password hashing API is definitely easier to work with than fumbling with the crypt() function. If your website is currently running on PHP 5.5, then I strongly recommended that you use the new hashing API. Those who are using PHP 5.3.7 (or later) can use a library called password_compat which emulates the API and automatically disables itself once the PHP version is upgraded to 5.5. The post Hashing Passwords with the PHP 5.5 Password Hashing API appeared first on SitePoint .
via Hashing Passwords with the PHP 5.5 Password Hashing API
via Hashing Passwords with the PHP 5.5 Password Hashing API
