Author: Muhammad Umer Farooq
Viewers: 859
Last month viewers: 5
Package: PHP Argon2 Password Verify
Hashing functions are often used before storing passwords to make it hard to guess the original password in case of a security breach.
Read this article to learn more about modern PHP hashing methods that make them hard to break these days.
Short Introduction to Hashing
Hashing is the application of a function f()
to input of a variable size to produce output of a constant size.
A => f() => X
B => f() => Y
C => f() => Z
A hash is also the result of a one-way function. This means that there isn't a function to reverse or undo a hash. As well re-applying the hash f(f(x))
isn't going to product x
again.
The hashing of passwords follows this process as described above. However it comes with some special considerations. Many of the properties that make up a good hash function are not beneficial when it comes to passwords.
PHP password hashing support will bundled in next release of Zest Framework (3.0.0). But this package can be used just by in any PHP application or frameworks.
PHP Argon2 Password Verify Package
This package provides secure Bcrypt and Argon2 hashing for storing user passwords.
Requirements
- PHP 7 (7.3 recommended).
- Composer.
The Argon2i driver requires PHP 7.2.0 or greater and the Argon2id driver requires PHP 7.3.0 or greater.
Bcrypt is a great choice for hashing passwords because its 'work factor' parameter is configurable, which means that the time it takes to generate a hash can be increased as hardware power increases.
Installation
Installing this package is very simple, first ensure you have the right PHP version and composer installed. Then in your command line terminal enter:
composer require lablnet/hashing
Basic Usage
You may create a hash for a password by calling the make
method on the Hashing Class:
<?php
use Lablnet\Hashing;
require '../vendor/autoload.php';
$hashing = new Hashing();
//Original password
$password = 123456;
//Hash the password
$password_hash = $hashing->make($password);
echo $password_hash;
Adjusting The Argon2 Work Factor
If you are using the Argon2I or Argon2Id algorithm, the make
method allows you to manage the work factor of the algorithm using the memory, time, and thread options:
$hashing = new Hashing('argon2i');
$password_hash = $hashing->make($password, [
'memory' => 1024,
'time' => 2,
'threads' => 2,
]);
For more information on these options, check out the official PHP documentation.
Verifying a Password Against a Hash
The verify
method allows you to verify that a given plain-text string corresponds to a given hash.
if ($hashing->verify($password,$password_hash)) {
//The password matched.
}
Checking If A Password Needs To Be Rehashed
The needsRehash
function allows you to determine if the work factor used by the hashing has changed since the password was hashed:
if ($hashing->needsRehash($hashed)) {
$password_hash = $hashing->make($password);
}
Supported Algorithms
This package supports 3 algorithms:
- Bcrypt
- Argon2I
- Argon2ID
To use different algorithms we can use the following code:
$hashing = new Hashing('supported-algorithm');
$bvcryptHashing = new Hashing('bcrypt');
Changing the Default Work Factors
You can provide default work factors like this:
// Argon2
$argon2Hashing = new Hashing('argon2i', [
'memory' => 1024,
'time' => 2,
'threads' => 2,
'verify' => false,
]);
//Bcrypt
$vcryptHashing = new Hashing('bcrypt'[
'cost' => 12,
'verify' => false,
]);
When the verify option is set to true, the class will also verify if the algorithm generated a correct hash for the password.
This article was originally posted in https://zestframework.xyz/blog/view/sRHfgAJ/PHP+secure+password+hashing+in+2019
You need to be a registered user or login to post a comment
1,616,107 PHP developers registered to the PHP Classes site.
Be One of Us!
Login Immediately with your account on:
Comments:
No comments were submitted yet.