English
English
Security is always one of the most concerned issues for developers when handling user passwords in PHP. Although PHP's password_hash() function has provided a convenient and secure way to store passwords, in some specific scenarios, developers may still choose to use crypt() for more detailed control. This article will introduce how to generate safer salt values by combining random_bytes() to improve the security of password storage.
Salt is a piece of random data that is added before and after the password and participates in hashing operations, ensuring that the hash value they eventually generate is also different even if two users use the same password. No salt value or the use of fixed salt value will make the password more vulnerable to rainbow table attacks and dictionary attacks .
crypt() is a function for password hashing. It supports multiple hashing algorithms such as DES , MD5 , SHA-256 , SHA-512 . Among them, SHA-256 and SHA-512 are currently the most recommended options.
An example of crypt() using the SHA-512 algorithm:
$password = 'examplePassword';
$salt = '$6$rounds=5000$usesomesillystringforsalt$';
$hash = crypt($password, $salt);
$6$ here means using SHA-512, rounds=5000 means 5000 iterations, and the following string is the salt value.
Compared to using static strings, random_bytes() can generate a truly encrypted strong random byte stream, which is ideal for building safe salt values.
Here is a complete example showing how to combine random_bytes() and crypt() to securely hash the password:
function generateSalt($length = 16) {
// Generate random bytes of the specified length,And convert to Base64,Remove it again and may affect crypt() Characters of
$rawSalt = base64_encode(random_bytes($length));
// Clear '+'、'/' and '=',To fit crypt() Require
$cleanSalt = str_replace(['+', '/', '='], '', $rawSalt);
return substr($cleanSalt, 0, $length);
}
function hashPassword($password) {
$salt = generateSalt();
$fullSalt = '$6$rounds=10000$' . $salt . '$';
return crypt($password, $fullSalt);
}
function verifyPassword($password, $hash) {
return hash_equals($hash, crypt($password, $hash));
}
$userPassword = 'mySecret123';
$hashed = hashPassword($userPassword);
// storage $hashed Go to the database
// When verifying login
$inputPassword = 'mySecret123';
if (verifyPassword($inputPassword, $hashed)) {
echo 'Correct password';
} else {
echo 'Error password';
}
Salt value length control : crypt() has requirements for the salt value length, which is usually limited to 16 characters, and the excess part will be truncated.
Do not reuse salt values : new random salt values should be used every time a password hash is generated.
Don't build hash structures manually : Although you can manually splice salt structures (such as $6$rounds=10000$salt$ ), it is recommended to use official methods (such as password_hash() ) whenever possible to avoid potential errors.
Upgrade suggestions : If it is not a specific requirement, it is recommended to use password_hash() and password_verify() , which automatically handle salt values and algorithm selection internally.
By combining random_bytes() and crypt() , developers can manually control each link of password encryption, improve the randomness and unpredictability of password storage, and thus resist more attack scenarios. Especially in systems with high safety requirements, this method provides a higher guarantee than traditional static salt values.
If you need to further strengthen security, you can also consider combining the hashing results with other user identifiers (such as mailbox, username, etc.), or using a more modern encryption library, such as sodium . However, the premise is always: using reliable random salt values is the first step in password security.
In actual deployment, please ensure that HTTPS is enabled on the entire site and properly manage database permissions and backup policies to avoid plain text passwords and weak encryption methods becoming weak points in system security.
