PHPBuilder - Most Secure Password Encryption Methods in PHP



RSS Twitter
Articles

Most Secure Password Encryption Methods in PHP

by: Atif Qureshi
|
February 12, 2016

The security of sensitive information such as login credentials of an employee is a topic which has always been addressed in every programming language. It is a subject of internet security. Every language has its own algorithms to ensure safety and security. In PHP, we have variety of options from beginner to advanced level to protect against vulnerabilities.

 

There are many posts where you can find methods to protect a PHP website from SQL Injections. But you will find less content over the internet addressing credential safety methods. In this post, we are going to explain the most common methods of passwords protection in PHP.

 

Popular framework Zend in fact provides Zend Guard software to ensure the security perspective. Although it is still a debate, that should passwords be hashed or encrypted? Well, without getting into this debate, we’ll discuss methods for both approaches.

 

PHP has a variety of algorithms which enable hiding actual passwords and get the maximum security by using encryption techniques. Password encryption methods are not much popular among developers, because they are reversible. The most common password encryption methods among PHP developers are as follows.

 

Password Hashing

The hashing concept is similar to fingerprints. Just like fingerprints are unique, the same way, hash is always unique which is also referred to as digital fingerprints. It is a one way process. Hashing methodology is considered as one of the safest techniques for securing passwords.

 

Hashing algorithm is applied to password fields before data insertion in database. In this way, you make the password unexploitable in case of hacker attack. It is important to note at this point that hashing passwords protects within data store, but it doesn’t guarantee protection against interception by any malicious code.

 

Most common hashing functions are

 

md5():

 

It displays the md5 hash of a string.

 

Example

 


<?php
$str = "PHP";
echo md5($str);//it will dsplay encrypted output of $str
?> 

 

Output

 

2fec392304a5c23ac138da22847f9b7c
sha1():
The sha1() function calculates the SHA-1 hash of a string. Sha1 is basically used for calculating the SHA-1 of a string.  It calculates using US secure hash algorithm.
<?php
$str = "php";
echo sha1($str);
?> 

 

Output

 

47425e4490d1548713efea3b8a6f5d778e4b1766

 

Salt

Cryptographic salt data is basically a bit of data which makes it more difficult to crack the data. If you are using salt, then it is impossible to exploit your password. Salt is a string which is hashed with password so that dictionary attacks would not work.

 

Example

 

<?php
$password = 'swordfish';
$salt = 'something random';
$hash = md5($salt . $password); // Value: db4968a3db5f6ed2f60073c747bb4fb5
echo $hash;
?> 

 

Output

 

db4968a3db5f6ed2f60073c747bb4fb5

 

How to store salts?

 

Crypt() and password_hash() are used to store salts.

 

Crypt():

 

It is basically one way hashing. Crypt() is used to get a hashed string. Its general syntax contains a salt parameter which is optional, but without salt, a weak password is generated. This function uses MD5, Blowfish and DES algorithms. This function’s performance varies with respect to operating systems.

 

Password_hash()

It creates new passwords by means of one way hashing algorithm. It is compatible with crypt(). Password_hash() is one of the strongest techniques of creating secure passwords.

 

Example

 

<?php
echo password_hash("php", PASSWORD_DEFAULT)."\n";
?> 

 

Output

 

$2y$10$NSjtgWRZJ/IOoaFwiYEEIu.5/3YBpFgQAghqTKCATx9luYRNSVlu2

 

Password_verify()

 

It is used to verify If the entered password matches the encryption.

 

Example

 

<?php
$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';
if (password_verify('rasmuslerdorf', $hash)) {
           echo 'Password is valid!';
} else {
           echo 'Invalid password.';
}
?> 

 

Output

 

Password is valid!

 

So, we have covered the most commonly used hashing functions. These functions will help you to make your passwords more safe and secure. Got any questions? I’m here to help. Just leave me a comment below!

 

 

About the Author

Atif Qureshi is an engineer who loves working with PHP. He works as PHP Community Champion at Cloudways. Aside from work, he likes gardening and spending time with his pets. Get in touch with him at atif.shahab@cloudways.com.

Comment and Contribute

Your comment has been submitted and is pending approval.

Author:
Atif Qureshi

Comment:



Comment:

(Maximum characters: 1200). You have characters left.