-
-
Save dzuelke/972386 to your computer and use it in GitHub Desktop.
| <?php | |
| // secure hashing of passwords using bcrypt, needs PHP 5.3+ | |
| // see http://codahale.com/how-to-safely-store-a-password/ | |
| // salt for bcrypt needs to be 22 base64 characters (but just [./0-9A-Za-z]), see http://php.net/crypt | |
| $salt = substr(strtr(base64_encode(openssl_random_pseudo_bytes(22)), '+', '.'), 0, 22); | |
| // 2y is the bcrypt algorithm selector, see http://php.net/crypt | |
| // 12 is the workload factor (around 300ms on my Core i7 machine), see http://php.net/crypt | |
| $hash = crypt('foo', '$2y$12$' . $salt); | |
| // we can now use the generated hash as the argument to crypt(), since it too will contain $2y$12$... with a variation of the hash. No need to store the salt anymore, just the hash is enough! | |
| var_dump($hash == crypt('foo', $hash)); // true | |
| var_dump($hash == crypt('bar', $hash)); // false | |
| ?> |
FYI use PHP's built in bcrypt and don't save the salt, but do increase the complexity integer as time goes on, security has never been so syntactically sugary. The function: http://docs.php.net/manual/en/function.password-hash.php
@charleshross What if you don't have PHP 5.5 installed?
@bruce-lim Use the password_compat library: https://github.com/ircmaxell/password_compat
Please, read this, is very important to understand about secure and insecure salt techniques: https://crackstation.net/hashing-security.htm#phpsourcecode
Here, as you can see, PHP 5.5 has implemented the PBKDF2 noticed by Crackstation:
http://php.net/manual/pt_BR/function.hash-pbkdf2.php.
If you are using PHP 5.5+ use @charleshross tip.
From manuals (http://php.net/password_hash):
"The salt option has been deprecated as of PHP 7.0.0. It is now preferred to simply use the salt that is generated by default."
It because, password_hash() with PASSWORD_DEFAULT uses strong techniques to generate the salt behind the scenes.
Regards.
@ nagarjun, the point of bcrypt and using blowfish ($2a$ ) is that you set a work factor high enough where it would take someone a very long time to crack a single password even though they have the salt and the final hash right there.
A single static salt that all users would share makes the whole storage mechanism less secure. A random salt per user, with a high enough work factor, is all you need.