The security of sensitive information such as login credentials of an employee is a topic which has always been addressed in every programming language. It is a subject of internet security. Every language has its own algorithms to ensure safety and security. In PHP, we have variety of options from beginner to advanced level to protect against vulnerabilities.
There are many posts where you can find methods to protect a PHP website from SQL Injections. But you will find less content over the internet addressing credential safety methods. In this post, we are going to explain the most common methods of passwords protection in PHP.
Popular framework Zend in fact provides Zend Guard software to ensure the security perspective. Although it is still a debate, that should passwords be hashed or encrypted? Well, without getting into this debate, we’ll discuss methods for both approaches.
PHP has a variety of algorithms which enable hiding actual passwords and get the maximum security by using encryption techniques. Password encryption methods are not much popular among developers, because they are reversible. The most common password encryption methods among PHP developers are as follows.
Password Hashing
The hashing concept is similar to fingerprints. Just like fingerprints are unique, the same way, hash is always unique which is also referred to as digital fingerprints. It is a one way process. Hashing methodology is considered as one of the safest techniques for securing passwords.
Hashing algorithm is applied to password fields before data insertion in database. In this way, you make the password unexploitable in case of hacker attack. It is important to note at this point that hashing passwords protects within data store, but it doesn’t guarantee protection against interception by any malicious code.
Most common hashing functions are
md5():
It displays the md5 hash of a string.
Example
<?php
$str = "PHP";
echo md5($str);//it will dsplay encrypted output of $str
?>
Output
2fec392304a5c23ac138da22847f9b7c
sha1():
The sha1() function calculates the SHA-1 hash of a string. Sha1 is basically used for calculating the SHA-1 of a string. It calculates using US secure hash algorithm.
<?php
$str = "php";
echo sha1($str);
?>
Output
47425e4490d1548713efea3b8a6f5d778e4b1766
Salt
Cryptographic salt data is basically a bit of data which makes it more difficult to crack the data. If you are using salt, then it is impossible to exploit your password. Salt is a string which is hashed with password so that dictionary attacks would not work.
Example
<?php
$password = 'swordfish';
$salt = 'something random';
$hash = md5($salt . $password); // Value: db4968a3db5f6ed2f60073c747bb4fb5
echo $hash;
?>
Output
db4968a3db5f6ed2f60073c747bb4fb5
How to store salts?
Crypt() and password_hash() are used to store salts.
Crypt():
It is basically one way hashing. Crypt() is used to get a hashed string. Its general syntax contains a salt parameter which is optional, but without salt, a weak password is generated. This function uses MD5, Blowfish and DES algorithms. This function’s performance varies with respect to operating systems.
Password_hash()
It creates new passwords by means of one way hashing algorithm. It is compatible with crypt(). Password_hash() is one of the strongest techniques of creating secure passwords.
Example
<?php
echo password_hash("php", PASSWORD_DEFAULT)."n";
?>
Output
$2y$10$NSjtgWRZJ/IOoaFwiYEEIu.5/3YBpFgQAghqTKCATx9luYRNSVlu2
Password_verify()
It is used to verify If the entered password matches the encryption.
Example
<?php
$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';
if (password_verify('rasmuslerdorf', $hash)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
?>
Output
Password is valid!
So, we have covered the most commonly used hashing functions. These functions will help you to make your passwords more safe and secure. Got any questions? I’m here to help. Just leave me a comment below!
About the Author
Atif Qureshi is an engineer who loves working with PHP. He works as PHP Community Champion at Cloudways. Aside from work, he likes gardening and spending time with his pets. Get in touch with him at [email protected].