English
English
In PHP, the crypt() function is a traditional and powerful password encryption tool. It implements one-way hashing of passwords based on different encryption algorithms (such as DES, MD5, Blowfish, SHA-256, SHA-512, etc.), which is suitable for storing and verifying user passwords. This article will introduce in-depth how to use the crypt() function to generate a more secure password and share the best security configuration to help increase the strength of the password.
The basic usage of the crypt() function is as follows:
$hashed_password = crypt($password, $salt);
$password is the original password entered by the user.
$salt is the salt value used to control the encryption method and result, which determines the hashing algorithm and result format.
The salt value format directly affects the security of the password. The salt value formats supported by crypt() include:
DES (default, the salt length is 2 characters, weak security)
MD5 (Salt Format: $1$ + 8 Character Salt)
Blowfish (Salt Format: $2a$ or $2y$ + two-digit cost + 22-character salt)
SHA-256 (Salt Format: $5$ + Salt)
SHA-512 (Salt Format: $6$ + Salt)
The security of password storage depends not only on the algorithm itself, but also on the strength of the salt and the complexity of the algorithm:
The function of salt : prevents rainbow table attacks and ensures that the same password is encrypted differently each time.
Algorithm strength : More complex algorithms and higher computing costs (work factor) can resist brute-force cracking.
The following example demonstrates how to use crypt() in conjunction with the Blowfish algorithm ( $2y$ ) to generate a safer password:
<?php
function generateSecureHash($password) {
// generate22bit safe random salt
$salt = substr(str_replace('+', '.', base64_encode(random_bytes(16))), 0, 22);
// BlowfishCost parameters of the algorithm,The scope is generally04~31,default12Safer
$cost = '12';
// Constructing a salt string,The format is $2y$cost$Salt
$blowfish_salt = sprintf('$2y$%02d$%s', $cost, $salt);
// generateEncrypted password hash
return crypt($password, $blowfish_salt);
}
// test
$password = "MyS3cureP@ss!";
$hash = generateSecureHash($password);
echo "Encrypted password hash: " . $hash;
?>
Use random_bytes() to generate high-intensity random salts.
$2y$ is used to represent the Blowfish algorithm, which is suitable for secure password storage.
The cost parameter $cost determines the complexity of the algorithm. The higher the cost, the safer it is, but the longer the calculation time is. 12 is the recommended value for balancing performance and safety.
When verifying the password, re-encrypt the password entered by the user with the hash stored in the database using the crypt() function to compare whether the results are the same:
<?php
function verifyPassword($password, $stored_hash) {
// use存储的哈希中的Salt重新加密密码
$hash = crypt($password, $stored_hash);
// usehash_equalsPrevent time attack security comparison
return hash_equals($hash, $stored_hash);
}
// test验证
$input_password = "MyS3cureP@ss!";
if (verifyPassword($input_password, $hash)) {
echo "Password verification succeeded!";
} else {
echo "Error password!";
}
?>
Use Strong Random Salts : Avoid using fixed or predictable salts.
Choose the right algorithm : prioritize Blowfish( $2y$ ), SHA-256( $5$ ) or SHA-512( $6$ ).
Adjust cost parameters : The higher the cost, the more time-consuming the calculation, but the stronger the security. Reasonable balance.
Limit password attempts : Prevent brute-force cracking.
Combined with password complexity strategy : Forced password length and character diversity.
Regularly update algorithms and cost parameters : As computing power increases, safety standards are upgraded in a timely manner.
PHP official document: https://www.m66.net/manual/zh/function.crypt.php
