English
English
The security of password processing logic is particularly important when maintaining and upgrading old systems. The password encryption methods used by many old systems are no longer secure and are easily cracked. PHP provides a crypt() function that can combine different encryption algorithms to generate secure hash values, helping us reconstruct password processing logic and improve system security.
This article will introduce how to use PHP's crypt() function, combine safe salt and algorithms, and gradually replace unsafe password encryption methods in old systems.
crypt() is a built-in password hash function in PHP and supports a variety of encryption algorithms, such as:
DES
MD5
Blowfish
SHA-256
SHA-512
It can automatically select the corresponding algorithm based on the incoming salt to generate a password hash with high strength, which is difficult to be reverse cracked. Compared to directly using functions such as MD5 and SHA1, crypt() is more suitable for password encryption.
Many old systems have simple password encryption, and may have the following defects:
Using single hash without salt (such as MD5 or SHA1) can easily be cracked by rainbow table attacks.
Salt is fixed or simple, and cannot prevent the same password from producing the same hash.
Directly storing plaintext or simple encryption, there is a risk of leakage.
All of these have greatly reduced the security of the system.
The following example demonstrates how to generate hash for passwords using crypt() combined with Blowfish algorithm.
<?php
// User-submitted plaintext password
$password = 'user_password';
// Generate random salts,BlowfishThe algorithm requires a salt format:$2y$ + costparameter + 22Character salt
$cost = 12; // Calculate cost,The larger the number, the safer it is, but the more resource-consuming it is.
$salt = sprintf('$2y$%02d$%s', $cost, substr(strtr(base64_encode(random_bytes(16)), '+', '.'), 0, 22));
// use crypt() Generate password hash
$hash = crypt($password, $salt);
echo "Password hash as: " . $hash;
?>
This hash string can be stored in the database. When verifying the password, use the same crypt() function and pass the hash in the database as a salt parameter to automatically use the correct salt and algorithm.
To verify the password, you only need to call crypt() once and compare the results:
<?php
$input_password = 'user_password'; // User input
$stored_hash = '$2y$12$wW5O3K7uGp1oKpJ.HUJZEuWQNUkXpzB1I7N1h7qMm6E82JZXNpM4a'; // Hash stored in the database
if (crypt($input_password, $stored_hash) === $stored_hash) {
echo "Password verification passed";
} else {
echo "Error password";
}
?>
This ensures that even if the password is the same, the hash generated by different salts will be different, thus improving security.
Evaluate the existing password storage method to confirm whether there is clear text or weak encryption.
Design migration strategies , such as detecting the password hash format when the user logs in, and after the old format is successfully verified, use crypt() to generate a new hash to overwrite the old hash.
When adding new users or resetting passwords, use the new encryption method directly.
Strengthen the overall security configuration of the system , limit the number of login attempts, use HTTPS, and protect data transmission security.
Don't implement the salt generation logic yourself. It is recommended to use strong random functions such as random_bytes() .
Do not use low-cost algorithms, and set the cost parameters reasonably (such as Blowfish's cost >= 12).
Avoid using password hash directly for URL transmission, and be sure to be properly encoded and protected if necessary.
If the system supports it, you can combine PHP's native password_hash() and password_verify() functions (PHP 5.5+). The underlying layer also uses crypt() to provide a more concise and safe interface.
<?php
$hash = password_hash('user_password', PASSWORD_BCRYPT);
if (password_verify('user_password', $hash)) {
echo "Password verification succeeded";
}
?>
Description of crypt() function in the official PHP manual: https://m66.net/manual/en/function.crypt.php
