How do you use bcrypt for hashing passwords in PHP? [duplicate]
Asked Answered
C

11

1337

Every now and then I hear the advice "Use bcrypt for storing passwords in PHP, bcrypt rules".

But what is bcrypt? PHP doesn't offer any such functions, Wikipedia babbles about a file-encryption utility and Web searches just reveal a few implementations of Blowfish in different languages. Now Blowfish is also available in PHP via mcrypt, but how does that help with storing passwords? Blowfish is a general purpose cipher, it works two ways. If it could be encrypted, it can be decrypted. Passwords need a one-way hashing function.

What is the explanation?

Crossbeam answered 25/1, 2011 at 15:34 Comment(7)
This question has been addressed previously, and their suggestion of using a standard library is excellent. Security is a complicated matter, and by using a package designed by someone who knows what the hell they're doing you're only helping yourself.Radically
@Radically - that page doesn't even mention bcrypt, much less explain what it is.Crossbeam
That's true. However, I included that link based on the title of the question, which IS answered in that question. Regarding the actual details of bcrypt, you can check out this journal paper. However, realize that your question is very broad; you're asking for a summary explanation of an entire field of research (which, I readily admit, I'm not familiar with myself).Radically
@Radically - I don't ask an explanation of how it works. I just want to know what it is. Because whatever I can dig up on the net under the keyword "bcrypt", can be in no way used for hashing passwords. Not directly anyway, and not in PHP. OK, by now I understand that it's really the "phpass" package which uses blowfish to encrypt your password with a key that is derived from your password (in essence encrypting the password with itself). But referencing it as "bcrypt" is severely misleading, and that is what I wanted to clarify in this question.Crossbeam
@Vilx: I've added more information as to why bcrypt is a one-way hashing algorithm versus an encryption scheme in my answer. There is this whole misconception that bcrypt is just Blowfish when in fact it has a totally different key schedule which ensures that plain text cannot be recovered from the cipher text without knowing the initial state of the cipher (salt, rounds, key).Honor
How to use the PHP 5.5 password hashing functionsGenia
Also see Openwall's Portable PHP password hashing framework (PHPass). Its hardened against a number of common attacks on user passwords.Alvinalvina
H
1113

bcrypt is a hashing algorithm which is scalable with hardware (via a configurable number of rounds). Its slowness and multiple rounds ensures that an attacker must deploy massive funds and hardware to be able to crack your passwords. Add to that per-password salts (bcrypt REQUIRES salts) and you can be sure that an attack is virtually unfeasible without either ludicrous amount of funds or hardware.

bcrypt uses the Eksblowfish algorithm to hash passwords. While the encryption phase of Eksblowfish and Blowfish are exactly the same, the key schedule phase of Eksblowfish ensures that any subsequent state depends on both salt and key (user password), and no state can be precomputed without the knowledge of both. Because of this key difference, bcrypt is a one-way hashing algorithm. You cannot retrieve the plain text password without already knowing the salt, rounds and key (password). [Source]

How to use bcrypt:

Using PHP >= 5.5-DEV

Password hashing functions have now been built directly into PHP >= 5.5. You may now use password_hash() to create a bcrypt hash of any password:

<?php
// Usage 1:
echo password_hash('rasmuslerdorf', PASSWORD_DEFAULT)."\n";
// $2y$10$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
// For example:
// $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a

// Usage 2:
$options = [
  'cost' => 11
];
echo password_hash('rasmuslerdorf', PASSWORD_BCRYPT, $options)."\n";
// $2y$11$6DP.V0nO7YI3iSki4qog6OQI5eiO6Jnjsqg7vdnb.JgGIsxniOn4C

To verify a user provided password against an existing hash, you may use the password_verify() as such:

<?php
// See the password_hash() example to see where this came from.
$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';

if (password_verify('rasmuslerdorf', $hash)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}

Using PHP >= 5.3.7, < 5.5-DEV (also RedHat PHP >= 5.3.3)

There is a compatibility library on GitHub created based on the source code of the above functions originally written in C, which provides the same functionality. Once the compatibility library is installed, usage is the same as above (minus the shorthand array notation if you are still on the 5.3.x branch).

Using PHP < 5.3.7 (DEPRECATED)

You can use crypt() function to generate bcrypt hashes of input strings. This class can automatically generate salts and verify existing hashes against an input. If you are using a version of PHP higher or equal to 5.3.7, it is highly recommended you use the built-in function or the compat library. This alternative is provided only for historical purposes.

class Bcrypt{
  private $rounds;

  public function __construct($rounds = 12) {
    if (CRYPT_BLOWFISH != 1) {
      throw new Exception("bcrypt not supported in this installation. See http://php.net/crypt");
    }

    $this->rounds = $rounds;
  }

  public function hash($input){
    $hash = crypt($input, $this->getSalt());

    if (strlen($hash) > 13)
      return $hash;

    return false;
  }

  public function verify($input, $existingHash){
    $hash = crypt($input, $existingHash);

    return $hash === $existingHash;
  }

  private function getSalt(){
    $salt = sprintf('$2a$%02d$', $this->rounds);

    $bytes = $this->getRandomBytes(16);

    $salt .= $this->encodeBytes($bytes);

    return $salt;
  }

  private $randomState;
  private function getRandomBytes($count){
    $bytes = '';

    if (function_exists('openssl_random_pseudo_bytes') &&
        (strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN')) { // OpenSSL is slow on Windows
      $bytes = openssl_random_pseudo_bytes($count);
    }

    if ($bytes === '' && is_readable('/dev/urandom') &&
       ($hRand = @fopen('/dev/urandom', 'rb')) !== FALSE) {
      $bytes = fread($hRand, $count);
      fclose($hRand);
    }

    if (strlen($bytes) < $count) {
      $bytes = '';

      if ($this->randomState === null) {
        $this->randomState = microtime();
        if (function_exists('getmypid')) {
          $this->randomState .= getmypid();
        }
      }

      for ($i = 0; $i < $count; $i += 16) {
        $this->randomState = md5(microtime() . $this->randomState);

        if (PHP_VERSION >= '5') {
          $bytes .= md5($this->randomState, true);
        } else {
          $bytes .= pack('H*', md5($this->randomState));
        }
      }

      $bytes = substr($bytes, 0, $count);
    }

    return $bytes;
  }

  private function encodeBytes($input){
    // The following is code from the PHP Password Hashing Framework
    $itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

    $output = '';
    $i = 0;
    do {
      $c1 = ord($input[$i++]);
      $output .= $itoa64[$c1 >> 2];
      $c1 = ($c1 & 0x03) << 4;
      if ($i >= 16) {
        $output .= $itoa64[$c1];
        break;
      }

      $c2 = ord($input[$i++]);
      $c1 |= $c2 >> 4;
      $output .= $itoa64[$c1];
      $c1 = ($c2 & 0x0f) << 2;

      $c2 = ord($input[$i++]);
      $c1 |= $c2 >> 6;
      $output .= $itoa64[$c1];
      $output .= $itoa64[$c2 & 0x3f];
    } while (true);

    return $output;
  }
}

You can use this code like this:

$bcrypt = new Bcrypt(15);

$hash = $bcrypt->hash('password');
$isGood = $bcrypt->verify('password', $hash);

Alternatively, you may also use the Portable PHP Hashing Framework.

Honor answered 25/1, 2011 at 15:34 Comment(13)
@AndrewMoore Hi, I've actually made a question regarding my issue, I was wondering if you maybe able to spot something that I'm missing? I'm getting really desperate, and this is the only thing I need to do to go forth on my login page (#11481699) Thank you so much!Lanner
@andrewliu theres nothing wrong with the syntax of your code, the only reason it wouldnt work was if $pass_l or $chk_pass aren't what they're suspose to be ;-) soz i keep commenting on stuff aimed at the other guy looool i can teamview with you to hhelp ya out if u wana ;pFerrule
@AndyLobel sorry, i forgot to add a variable $hash_1 which is the hash from $pass_1, and then its supposed to be checked with verify($hash_1, $chk_pass) stated from Andrew Moore from above comment.Lanner
@timpeterson: How many rounds are you using? More rounds = more complexity = more time...Honor
@AndrewMoore I literally copy and pasted your code into a test.php file. So I guess $rounds=12? However, when I decreased it to $rounds=1, it still took ~10 seconds. Is there something else I need to do to get time<1sec? For a consumer web application 10sec is too much time.Temporal
<strike>Am I the only one that doesn't see the rounds value being used in the hash function?</strike> Ignore that - it's specified as part of the hash.Lithoid
@AndrewMoore, sorry, I now see where the $rounds=15 as specified in your code: $bcrypt = new Bcrypt(15);. If you change that to $bcrypt = new Bcrypt(4); then it returns true almost instantly.Temporal
@timpeterson: You should select a number of rounds that results in 200-250 ms of work. Part of the reason why bcrypt is secure is that it is slow. You must ensure to have a number of rounds that keeps that characteristic.Honor
@AndrewMoore thanks, running microtime() from Bcrypt(4)to Bcrypt(9) the time goes from 0.010 to 0.314. So Bcrypt(9) is what i'll probably do.Temporal
Oh my god. Don't use crypto code that isn't uploaded to somewhere tied to, approved by, and peer-reviewed by people you can identify as real authorities on crypto. This isn't about open vs. closed source. Whereever it's uploaded to should offer visibility of the reviewed and verified source. This is about acknowledging that most of us don't have the chops to critique crypto, and not letting the blind lead the blind. I'm seriously supposed to rely on anonymous upvotes on a wiki to tell me whether I'm compromising my customer's data? Cause that's all non-crypto experts can do with this.Plastered
@MichaelLang: Good thing crypt() is peer-reviewed and verified then. The code above calls PHP's crypt(), which calls the POSIX crypt() function. All the code above does more is generating a random salt (which doesn't have to be cryptographically secure, the salt isn't considered a secret) before calling crypt(). Maybe you should do a little research yourself before calling wolf.Honor
Please note that this answer, while good, is starting to show its age. This code (like any PHP implementation relying on crypt()) is subject to a security vulnerability pre-5.3.7, and is (very slightly) inefficient post-5.3.7 - details of the relevant issue can be found here. Please also note that the new password hashing API (backwards compat lib) is now the preferred method of implementing bcrypt password hashing in your application.Tabbie
Better syntax to compare the PHP version: if (version_compare(phpversion(), '5', '>=')) { ... }.Intermixture
B
310

So, you want to use bcrypt? Awesome! However, like other areas of cryptography, you shouldn't be doing it yourself. If you need to worry about anything like managing keys, or storing salts or generating random numbers, you're doing it wrong.

The reason is simple: it's so trivially easy to screw up bcrypt. In fact, if you look at almost every piece of code on this page, you'll notice that it's violating at least one of these common problems.

Face It, Cryptography is hard.

Leave it for the experts. Leave it for people whose job it is to maintain these libraries. If you need to make a decision, you're doing it wrong.

Instead, just use a library. Several exist depending on your requirements.

Libraries

Here is a breakdown of some of the more common APIs.

PHP 5.5 API - (Available for 5.3.7+)

Starting in PHP 5.5, a new API for hashing passwords is being introduced. There is also a shim compatibility library maintained (by me) for 5.3.7+. This has the benefit of being a peer-reviewed and simple to use implementation.

function register($username, $password) {
    $hash = password_hash($password, PASSWORD_BCRYPT);
    save($username, $hash);
}

function login($username, $password) {
    $hash = loadHashByUsername($username);
    if (password_verify($password, $hash)) {
        //login
    } else {
        // failure
    }
}

Really, it's aimed to be extremely simple.

Resources:

Zend\Crypt\Password\Bcrypt (5.3.2+)

This is another API that's similar to the PHP 5.5 one, and does a similar purpose.

function register($username, $password) {
    $bcrypt = new Zend\Crypt\Password\Bcrypt();
    $hash = $bcrypt->create($password);
    save($user, $hash);
}

function login($username, $password) {
    $hash = loadHashByUsername($username);
    $bcrypt = new Zend\Crypt\Password\Bcrypt();
    if ($bcrypt->verify($password, $hash)) {
        //login
    } else {
        // failure
    }
}

Resources:

PasswordLib

This is a slightly different approach to password hashing. Rather than simply supporting bcrypt, PasswordLib supports a large number of hashing algorithms. It's mainly useful in contexts where you need to support compatibility with legacy and disparate systems that may be outside of your control. It supports a large number of hashing algorithms. And is supported 5.3.2+

function register($username, $password) {
    $lib = new PasswordLib\PasswordLib();
    $hash = $lib->createPasswordHash($password, '$2y$', array('cost' => 12));
    save($user, $hash);
}

function login($username, $password) {
    $hash = loadHashByUsername($username);
    $lib = new PasswordLib\PasswordLib();
    if ($lib->verifyPasswordHash($password, $hash)) {
        //login
    } else {
        // failure
    }
}

References:

  • Source Code / Documentation: GitHub

PHPASS

This is a layer that does support bcrypt, but also supports a fairly strong algorithm that's useful if you do not have access to PHP >= 5.3.2... It actually supports PHP 3.0+ (although not with bcrypt).

function register($username, $password) {
    $phpass = new PasswordHash(12, false);
    $hash = $phpass->HashPassword($password);
    save($user, $hash);
}

function login($username, $password) {
    $hash = loadHashByUsername($username);
    $phpass = new PasswordHash(12, false);
    if ($phpass->CheckPassword($password, $hash)) {
        //login
    } else {
        // failure
    }
}

Resources

Note: Don't use the PHPASS alternatives that are not hosted on openwall, they are different projects!!!

About BCrypt

If you notice, every one of these libraries returns a single string. That's because of how BCrypt works internally. And there are a TON of answers about that. Here are a selection that I've written, that I won't copy/paste here, but link to:

Wrap Up

There are many different choices. Which you choose is up to you. However, I would HIGHLY recommend that you use one of the above libraries for handling this for you.

Again, if you're using crypt() directly, you're probably doing something wrong. If your code is using hash() (or md5() or sha1()) directly, you're almost definitely doing something wrong.

Just use a library...

Biannual answered 12/6, 2013 at 19:23 Comment(6)
The salt has to be randomly generated, however it doesn't need to come from a secure random source. The salt is not a secret. Being able to guess the next salt has no real security impact; as long as they come from a sufficiently large pool of data to generate different salts for each password encoded, you are fine. Remember, the salt is there to prevent the use of rainbow tables if your hashes come into bad hands. They are not secret.Honor
@AndrewMoore absolutely correct! However, the salt has to have enough entropy to be statistically unique. Not just in your application, but in all applications. So mt_rand() has a high enough period, but the seed value is only 32 bits. So using mt_rand() effectively limits you to only 32 bits of entropy. Which thanks to the Birthday Problem means that you have a 50% chance of collision at only 7k generated salts (globally). Since bcrypt accepts 128 bits of salt, it's better to use a source that can supply all 128 bits ;-). (at 128 bits, 50% chance of collision happens at 2e19 hashes)...Biannual
@ircmaxell: Hense the "sufficiently large pool of data". However your source doesn't have to be a VERY HIGH entropy source, just high enough for the 128 bits. However, if you have exhausted all your available sources (don't have OpenSSL, etc...) and your only fallback is mt_rand(), it is still better than the alternative (which is rand()).Honor
@AndrewMoore: absolutely. Not arguing that. Just that mt_rand and uniqid (and hence lcg_value and rand) are not first choices...Biannual
ircmaxell, thank you very much for the the password_compat library for 5.3.xx, we haven't needed this before but now we do, on a 5.3.xx php server, and thank you for your clear advice to not try to do this logic oneself.Tavy
Personally, I feel that one of the reasons that so many people know almost nothing about how to correctly/safely do many things with cryptography, is that they've always been told to stop trying to do it themselves. Sure, cryptography is hard to get correct, but that's all the more reason for people to practice it, ask more questions about it, and learn how to get it correct. Just my two cents on the topic... :)Goby
B
48

You'll get a lot of information in Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes or Portable PHP password hashing framework.

The goal is to hash the password with something slow, so someone getting your password database will die trying to brute force it (a 10 ms delay to check a password is nothing for you, a lot for someone trying to brute force it). Bcrypt is slow and can be used with a parameter to choose how slow it is.

Baseball answered 25/1, 2011 at 15:46 Comment(10)
@Arkh: Slowing down how fast it runs is not an issue. Bruteforcing will only work when you have failed as a developer to enforce strong password policies.Teletype
Enforce whatever you want, users will manage to screw up and use the same password on multiple things. So you have to protect it as much as possible or implement something which let you not have to store any password (SSO, openID etc.).Baseball
You can more easily prevent a bruteforce password attack by blocking "users" that fail to guess their password n-times in a day where n is greater than a reasonable number of tries, like 50.Luellaluelle
@Baseball So you're saying that by using a relatively slow hashing algorithm (it's still quite fast overall), I can prevent a black-hat from accessing a user's account for whom he is familiar with the password already because it's also the user's Myspace password and the user was phished yesterday?Luellaluelle
No. Password hashing is used to protect against one attack : someone stole your database and want to get cleartext login + passwords.Baseball
@Arkh: And what is to stop them from using a faster machine then you? Or distributing the load over a network of computers? Clouds are cheap, processing is cheap, therefor don't waste it in the hope it will slow someone down.Teletype
@Josh K. I encourage you to try to crack some simple passwords after getting them through phpass tuned so it takes between 1ms and 10ms to compute it on your webserver.Baseball
@Arkh: qwerty is still qwerty.Teletype
Agreed. But the kind of user who will use qwerty as a password is also the kind of user who will mark down any complicated one somewhere he (and attackers) can easily read it. What using bcrypt accomplishes is that when your db goes public against your will, it'll be harder to get to those user who have some password like ^|$$&ZL6-£ than if you used sha512 in one pass.Baseball
@Luellaluelle worth noting that doing that is more harmful than not blocking at all; that is easily considered a "denial of service" vector. Just start spamming bad logins on any known accounts and you can disrupt many users very, very easily. It's better to tarpit (delay) the attacker than outright deny access, especially if it's a paying customer.Hijacker
L
37

You can create a one-way hash with bcrypt using PHP's crypt() function and passing in an appropriate Blowfish salt. The most important of the whole equation is that A) the algorithm hasn't been compromised and B) you properly salt each password. Don't use an application-wide salt; that opens up your entire application to attack from a single set of Rainbow tables.

PHP - Crypt Function

Luellaluelle answered 25/1, 2011 at 15:48 Comment(5)
This is the right approach - use PHP's crypt() function, which supports several different password hashing functions. Make sure you are not using CRYPT_STD_DES or CRYPT_EXT_DES - any of the other supported types are fine (and includes bcrypt, under the name CRYPT_BLOWFISH).Coiffure
SHA indeed has a cost parameter as well, via the 'rounds' option. When using that, I also see no reason to favour bcrypt.Tatar
Actually, a single SHA-1 (or MD5) of a password is still easily brute-force-able, with or without salt (salt helps against rainbow tables, not against brute-forcing). Use bcrypt.Abiotic
I find it disturbing that everybody seems to say "bcrypt" when they mean php's crypt().Genia
@Panique Why? The algorithm is called bcrypt. crypt exposes several password hashes, with bcrypt corresponding to the CRYPT_BLOWFISH constant. Bcrypt is currently the strongest algorithm supported by crypt and several others it supports are quite weak.Alcott
S
34

Edit: 2013.01.15 - If your server will support it, use martinstoeckli's solution instead.


Everyone wants to make this more complicated than it is. The crypt() function does most of the work.

function blowfishCrypt($password,$cost)
{
    $chars='./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
    $salt=sprintf('$2y$%02d$',$cost);
//For PHP < PHP 5.3.7 use this instead
//    $salt=sprintf('$2a$%02d$',$cost);
    //Create a 22 character salt -edit- 2013.01.15 - replaced rand with mt_rand
    mt_srand();
    for($i=0;$i<22;$i++) $salt.=$chars[mt_rand(0,63)];
    return crypt($password,$salt);
}

Example:

$hash=blowfishCrypt('password',10); //This creates the hash
$hash=blowfishCrypt('password',12); //This creates a more secure hash
if(crypt('password',$hash)==$hash){ /*ok*/ } //This checks a password

I know it should be obvious, but please don't use 'password' as your password.

Subalternate answered 31/10, 2012 at 8:25 Comment(12)
The creation of the salt could be improved (use the random source of the OS), otherwise it looks good to me. For newer PHP versions it is better to use 2y instead of 2a.Fad
use mcrypt_create_iv($size, MCRYPT_DEV_URANDOM) as source for the salt.Alcott
I'll take a closer look at mcrypt_create_iv() when I get a moment, if nothing else it should improve performance slightly.Subalternate
@Alcott I tried replacing the for loop with mcrypt_create_iv(22, MCRYPT_DEV_URANDOM), but it generated values outside the 64 character alphabet.Subalternate
Add Base64 encoding and translate to the custom alphabet bcrypt uses. mcrypt_create_iv(17, MCRYPT_DEV_URANDOM), str_replace('+', '.', base64_encode($rawSalt)), $salt = substr($salt, 0, 22);Alcott
@JonHulka - Have a look at PHP's compatibility pack [Line 127], this is a straightforward implementation.Fad
@Alcott Since not all systems have php-mcrypt by default(my Ubuntu server didn't), and not everyone has privilege to install packages on their server, I'm leaving this as an alternative for those cases.Subalternate
Possible shortcut, try $salt .= uniqid($salt,true); instead of mt_rand(). Disclaimer: Check SO's discussion on uniqid.Grefe
It should be noted that using the example password as password, will generate TRUE even when using $hash=blowfishCrypt('password1',12); in conjunction with if(crypt('password',$hash)==$hash), therefore another example should be used and/or noted in this answer. However using $hash=blowfishCrypt('passworx',12); will be FALSE and won't match.Nepean
@Fred-ii- I just tested this: $hash=blowfishCrypt('password1',12); echo json_encode(crypt('password',$hash)==$hash); outputs 'false'Subalternate
@JonHulka So I guess using/adding json_encode helps it then.Nepean
@Fred-ii- no: json_encode just converts the value to a string.Subalternate
F
30

Version 5.5 of PHP will have built-in support for BCrypt, the functions password_hash() and password_verify(). Actually these are just wrappers around the function crypt(), and shall make it easier to use it correctly. It takes care of the generation of a safe random salt, and provides good default values.

The easiest way to use this functions will be:

$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

This code will hash the password with BCrypt (algorithm 2y), generates a random salt from the OS random source, and uses the default cost parameter (at the moment this is 10). The second line checks, if the user entered password matches an already stored hash-value.

Should you want to change the cost parameter, you can do it like this, increasing the cost parameter by 1, doubles the needed time to calculate the hash value:

$hash = password_hash($password, PASSWORD_BCRYPT, array("cost" => 11));

In contrast to the "cost" parameter, it is best to omit the "salt" parameter, because the function already does its best to create a cryptographically safe salt.

For PHP version 5.3.7 and later, there exists a compatibility pack, from the same author that made the password_hash() function. For PHP versions before 5.3.7 there is no support for crypt() with 2y, the unicode safe BCrypt algorithm. One could replace it instead with 2a, which is the best alternative for earlier PHP versions.

Fad answered 11/1, 2013 at 8:7 Comment(2)
After I read this, my first thought was "how do you store the salt that is generated"? After poking through the docs, the password_hash() function ends up generating a string that stores the encryption method, the salt, and the generated hash. So, it just stores everything it needs in one string for the password_verify() function to work. Just wanted to mention this as it may help others when they view this.Fezzan
@Fezzan - Exactly, in an other answer i tried to explain this storage format with an example.Fad
S
7

Current thinking: hashes should be the slowest available, not the fastest possible. This suppresses rainbow table attacks.

Also related, but precautionary: An attacker should never have unlimited access to your login screen. To prevent that: Set up an IP address tracking table that records every hit along with the URI. If more than 5 attempts to login come from the same IP address in any five minute period, block with explanation. A secondary approach is to have a two-tiered password scheme, like banks do. Putting a lock-out for failures on the second pass boosts security.

Summary: slow down the attacker by using time-consuming hash functions. Also, block on too many accesses to your login, and add a second password tier.

Selfservice answered 7/12, 2011 at 20:56 Comment(5)
I think they assume that the attacker has already managed to steal my DB through some other means, and is now trying to get the passwords out in order to try them on paypal or something.Crossbeam
Half way through 2012 and this answer is still wonky, how does a slow hashing algorithm prevent rainbow table attacks? I thought a random byte range salt did? I always thought the speed of the hashing algorithm dictates how many iterations they can send against the hash they got form you in a specific amount of time. Also NEVER EVER BLOCK A USER ON FAILED LOGIN ATTEMPTS trust me your users will get fed up, often on some sites I need to login near 5 times sometimes more before I remember my password for it. Also second pass tier doesn't work, two step auth with mobile phone code could though.Alegar
@Alegar I would agree with this to a point. I setup a block on 5 failed login attempts, before raising it quickly to 7, then 10 now its sitting on 20. No normal user should have 20 failed login attempts but its low enough to easily stop brute force attacksHate
@BruceAldridge I personally would think it would be better to make your script pause for a random time after say, 7 failed logins and show a captcha rather than block. Blocking is a very aggresive move to take.Alegar
@Alegar I agree permanent blocks are bad. I'm referring to a temporary block that increases with the number of failed attempts.Hate
T
7

Here's an updated answer to this old question!

The right way to hash passwords in PHP since 5.5 is with password_hash(), and the right way to verify them is with password_verify(), and this is still true in PHP 8.0. These functions use bcrypt hashes by default, but other stronger algorithms have been added. You can alter the work factor (effectively how "strong" the encryption is) via the password_hash parameters.

However, while it's still plenty strong enough, bcrypt is no longer considered state-of-the-art; a better set of password hash algorithms has arrived called Argon2, with Argon2i, Argon2d, and Argon2id variants. The difference between them (as described here):

Argon2 has one primary variant: Argon2id, and two supplementary variants: Argon2d and Argon2i. Argon2d uses data-depending memory access, which makes it suitable for cryptocurrencies and proof-of-work applications with no threats from side-channel timing attacks. Argon2i uses data-independent memory access, which is preferred for password hashing and password-based key derivation. Argon2id works as Argon2i for the first half of the first iteration over the memory, and as Argon2d for the rest, thus providing both side-channel attack protection and brute-force cost savings due to time-memory tradeoffs.

Argon2i support was added in PHP 7.2, and you request it like this:

$hash = password_hash('mypassword', PASSWORD_ARGON2I);

and Argon2id support was added in PHP 7.3:

$hash = password_hash('mypassword', PASSWORD_ARGON2ID);

No changes are required for verifying passwords since the resulting hash string contains information about what algorithm, salt, and work factors were used when it was created.

Quite separately (and somewhat redundantly), libsodium (added in PHP 7.2) also provides Argon2 hashing via the sodium_crypto_pwhash_str () and sodium_crypto_pwhash_str_verify() functions, which work much the same way as the PHP built-ins. One possible reason for using these is that PHP may sometimes be compiled without libargon2, which makes the Argon2 algorithms unavailable to the password_hash function; PHP 7.2 and higher should always have libsodium enabled, but it may not - but at least there are two ways you can get at that algorithm. Here's how you can create an Argon2id hash with libsodium (even in PHP 7.2, which otherwise lacks Argon2id support)):

$hash = sodium_crypto_pwhash_str(
    'mypassword',
    SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
    SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE
);

Note that it doesn't allow you to specify a salt manually; this is part of libsodium's ethos – don't allow users to set params to values that might compromise security – for example there is nothing preventing you from passing an empty salt string to PHP's password_hash function; libsodium doesn't let you do anything so silly!

Tracheotomy answered 19/2, 2014 at 14:17 Comment(0)
D
4

For OAuth 2 passwords:

$bcrypt = new \Zend\Crypt\Password\Bcrypt;
$bcrypt->create("youpasswordhere", 10)
Debar answered 25/3, 2016 at 16:55 Comment(0)
H
3

As we all know storing password in clear text in database is not secure. the bcrypt is a hashing password technique.It is used to built password security. One of the amazing function of bcrypt is it save us from hackers it is used to protect the password from hacking attacks because the password is stored in bcrypted form.

The password_hash() function is used to create a new password hash. It uses a strong & robust hashing algorithm. The password_hash() function is very much compatible with the crypt() function. Therefore, password hashes created by crypt() may be used with password_hash() and vice-versa. The functions password_verify() and password_hash() just the wrappers around the function crypt(), and they make it much easier to use it accurately.

SYNTAX

string password_hash($password, $algo, $options)

The following algorithms are currently supported by password_hash() function:

  • PASSWORD_DEFAULT
  • PASSWORD_BCRYPT
  • PASSWORD_ARGON2I
  • PASSWORD_ARGON2ID

Parameters: This function accepts three parameters as mentioned above and described below:

$password: It stores the password of the user.

$algo: It is the password algorithm constant that is used continuously while denoting the algorithm which is to be used when the hashing of password takes place.

$options: It is an associative array, which contains the options. If this is removed and doesn’t include, a random salt is going to be used, and the utilization of a default cost will happen.

Return Value: It returns the hashed password on success or False on failure.

Example:

Input:

echo password_hash("GFG@123", PASSWORD_DEFAULT);

Output:

$2y$10$.vGA19Jh8YrwSJFDodbfoHJIOFH)DfhuofGv3Fykk1a

Below programs illustrate the password_hash() function in PHP:

<?php echo password_hash("GFG@123", PASSWORD_DEFAULT); ?>

OUTPUT

$2y$10$Z166W1fBdsLcXPVQVfPw/uRq1ueWMA6sLt9bmdUFz9AmOGLdM393G
Homothermal answered 11/11, 2019 at 15:54 Comment(0)
S
0

The password_hash() function in PHP is a built-in function, used to create a new password hash with different algorithms and options. The function uses a strong hashing algorithm.

The function take 2 mandatory parameters: $password and $algorithm, and 1 optional parameter $options.

$strongPassword = password_hash( $password, $algorithm, $options );

Algorithms allowed right now for password_hash() are:

  • PASSWORD_DEFAULT
  • PASSWORD_BCRYPT
  • PASSWORD_ARGON2I
  • PASSWORD_ARGON2ID

Example:

echo password_hash("abcDEF", PASSWORD_DEFAULT);

Answer:

$2y$10$KwKceUaG84WInAif5ehdZOkE4kHPWTLp0ZK5a5OU2EbtdwQ9YIcGy

Example:

echo password_hash("abcDEF", PASSWORD_BCRYPT);

Answer:

$2y$10$SNly5bFzB/R6OVbBMq1bj.yiOZdsk6Mwgqi4BLR2sqdCvMyv/AyL2

To use the BCRYPT, set option cost=12 in an $options, also change first parameter $password to some strong password like "wgt167yuWBGY@#1987__".

Example:

echo password_hash("wgt167yuWBGY@#1987__", PASSWORD_BCRYPT, ['cost' => 12]);

Answer:

$2y$12$TjSggXiFSidD63E.QP8PJOds2texJfsk/82VaNU8XRZ/niZhzkJ6S
Stickler answered 11/8, 2020 at 17:44 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.