We will learn what is the significance of a hash for a secure
password in PHP. Password hashing is one of the most basic security
issues while developing an application or website, we usually accept
some value from the user as in a password, without hashing we store it
in the Applications database, the question arises in the scenario of
someone stealing the application database then perhaps you lose that
application connection to users and many other things.
For such
kinds of scenarios we use hashing, by applying a hashing algorithm to
our password before storing it in the database, we ensure that attackers
will not determine the original password, while still being able to
compare the resulting hash to the original password in the future.
Topics
- About hash
- About slat
- Code
About HashingHashing
is an algorithm. An algorithm for protecting our user inputted password
from attackers. There are some algorithms available named MD5, SH1 and
SHA256 that are very fast and efficient. With some modern techniques and
computer equipment, it has become trivial for the In PHP to use "brute
force" to get the stored (hashed) encrypted value. PHP 5.5 provides a
native password hashing API that safely handles both hashing and the
verifying of the password in a secure manner. For verifying the password
we mostly use the
crypt() function. We need to take
care of preventing timing attacks by using a constant time-sharing
comparison. Neither the "==" and "===" operators nor
strcmp(). A
password_verify() is used to verify.
About SaltA
cryptographic salt is data that is applied during the hashing process
in order to eliminate the possibility of output being looked up in a
list of per-calculated pairs of hashes and their input, this is known as
a rainbow table.
Salt is a "bit" of additional data that makes
our hashes safe and secure from attackers. The use of a salt makes it
impossible to find the result.
password_hash() That creates a random salt if one will not be provided and this is generally the easiest and most secure approach.
Code
- <?php
- echo password_hash("hello", PASSWORD_DEFAULT)."\n";
- ?>
-
When we use
password_hash() or
crypt(),
the
return value includes the salt as part of the generated hash. This
value will be stored in the database, since it includes information
about the hash function that was used and can be given directly to
password_verify() or
crypt() when we verify the password.
SummaryIn
this article we learned how to be secure when we use passwords. Salt,
Hashing and their work flow. Thanks for reading this article.
1 comments:
great work!!
Post a Comment