Shulou(Shulou.com)06/02 Report--

PHP implementation of PBKDF2-based password_hash and password_verify functions is how, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can get something.

Recently, the national network security requirements are very strict, our product partners require us to use the PBKDF2 standard to store passwords. As I was not familiar with this standard, I did some homework.

A basic common sense is that users' passwords cannot be stored in clear text, otherwise, once the hacker gets the database information, the password will be leaked directly.

To upgrade, passwords directly use sha1 or the more secure sha2 algorithm to generate hash values and store them in the database. This is how most password stores are designed. Is this safe enough?

No, because hackers can still use rainbow tables and brute force to crack passwords.

To solve these two problems, it is necessary to do the following two points:

1. Random salt is added in the process of password generation, so that the hash value of the same password is different each time, which makes the rainbow table invalid.

two。 The operation speed of encryption algorithm is relatively slow, which will increase the cost of brute force cracking for hackers.

At present, the mainstream password storage algorithms are bcrypt and PBKDF2. PHP has added password_hash and password_verify functions since 5.5. built-in supports the bcrypt algorithm. If you want to strengthen the security of password storage, there are no special requirements for the algorithm, you can use it directly.

However, for the need to use the PBKDF2 standard to deal with encrypted storage, there is no ready-made function to use, but PHP has added the hash_pbkdf2 function since 5.5.5.Then I used this function to implement the password_hash and password_verify functions based on the PBKDF2 standard. The code is as follows:

Function password_hash_pbkdf2 ($password) {$iterations=1000; $length=30; $salt= openssl_random_pseudo_bytes (8); $salt_encode=base64_encode ($salt); $hash= hash_pbkdf2 ("sha256", $password,$ salt, $iterations, $length); return $hash.$salt_encode;} function password_verify_pbkdf2 ($password,$hash) {$iterations=1000; $length=30; $passhash=substr ($hash,0,$length); $salt=base64_decode (substr ($hash,$length)) $passhash3=hash_pbkdf2 ("sha256", $password, $salt, $iterations, $length); if ($passhash==$passhash3) {return true;} return false;} will it help you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.