Introduction
We will learn what is the significance of a hash for a secure password in PHP. Password hashing is one of the most basic security issues while developing an application or website, we usually accept some value from the user as in a password, without hashing we store it in the Applications database, the question arises in the scenario of someone stealing the application database then perhaps you lose that application connection to users and many other things.
For such kinds of scenarios we use hashing, by applying a hashing algorithm to our password before storing it in the database, we ensure that attackers will not determine the original password, while still being able to compare the resulting hash to the original password in the future.
Topics
- About hash
- About slat
- Code
About Hashing
Hashing is an algorithm. An algorithm for protecting our user inputted password from attackers. There are some algorithms available named MD5, SH1 and SHA256 that are very fast and efficient. With some modern techniques and computer equipment, it has become trivial for the In PHP to use "brute force" to get the stored (hashed) encrypted value. PHP 5.5 provides a native password hashing API that safely handles both hashing and the verifying of the password in a secure manner. For verifying the password we mostly use the crypt() function. We need to take care of preventing timing attacks by using a constant time-sharing comparison. Neither the "==" and "===" operators nor strcmp(). A password_verify() is used to verify.
About Salt
A cryptographic salt is data that is applied during the hashing process in order to eliminate the possibility of output being looked up in a list of pre-calculated pairs of hashes and their input, this is known as a rainbow table.
Salt is a "bit" of additional data that makes our hashes safe and secure from attackers. The use of a salt makes it impossible to find the result. password_hash() That creates a random salt if one will not be provided and this is generally the easiest and most secure approach.
Code
- <?php
- echo password_hash("hello", PASSWORD_DEFAULT)."\n";
- ?>
-
![hash]()
When we use password_hash() or crypt(), the return value includes the salt as part of the generated hash. This value will be stored in the database, since it includes information about the hash function that was used and can be given directly to password_verify() or crypt() when we verify the password.
Summary
In this article we learned how to be secure when we use passwords. Salt, Hashing and their work flow. Thanks for reading this article.