PHP Encryption: Password Hashing API

After PHP 5.5, the Password hashing API was introduced to create and verify hashed passwords. It comes with the kernel and does not require any extension installation and configuration. It mainly provides four functions for use:

● password_hash(): Create a hash of the password;

● password_verify(): Verify whether the password matches the hash;

● password_needs_rehash(): Check whether the given hash matches the given option;

● password_get_info(): Return relevant information about the specified hash.

1, password_hash(string password, int algo [, array options])

Use a one-way hashing algorithm of sufficient strength to generate a hash of the password. This function is compatible with crypt(), that is, the hash value generated by crypt() can be verified using the related functions of the Password hashing API.

● password: user password.

● algo: cryptographic algorithm constant. Values ​​include:

● PASSWORD_DEFAULT: Use bcrypt algorithm. The final generated result may exceed 60 characters;

● PASSWORD_BCRYPT: Use the CRYPT_BLOWFISH algorithm to create the hash. The final result is a 60-character string, or FALSE on failure.

● salt: Manually provide the salt value for the hashed password. When omitted, the function automatically generates a random salt value for each password hash. This item has been abandoned in PHP 7.0;

● cost: represents the cost used by the algorithm. The default value is 10, which can be increased according to actual conditions.

2, password_verify(string password, string hash)

● password: Password provided by the user.

● hash: Hash value created by password_hash(). Returns TRUE if there is a match, FALSE otherwise. Timing attacks do not work on this function.

3、password_needs_rehash(string hash, integer algo [, array opitons])

● hash: the hash generated by password_hash();

● algo: cryptographic algorithm constant;

● options: an associative array containing related options.

4, password_get_info(string hash) hash: The hash generated by password_hash(). Returns an associative array containing three elements:

● algo: password algorithm constant;

● algoName: algorithm name;

● options: provided when calling password_hash() Options.

Example

$str = 'chicken,run!';
$pwd1 = password_hash($str, PASSWORD_BCRYPT);
$pwd2 = crypt($str);

var_dump(password_verify('chicken,run!', $pwd1));    // 输出 true
var_dump(password_verify('chicken,ran!', $pwd1));    // 输出 false
var_dump(password_verify($str, $pwd2));    // 输出 true
var_dump(password_needs_rehash($pwd1, PASSWORD_BCRYPT, ['cost'=>10]));   // 输出 false,因为 password_hash() 在加密时,出来默认 cost 为 10 外,还会指定随机的盐值

For more programming related content, please pay attention to the Programming Introduction column on the php Chinese website!

The above is the detailed content of PHP Encryption: Password Hashing API. For more information, please follow other related articles on the PHP Chinese website!