php-password-hash

Argon2 Algorithm in PHP7: understanding the time_cost parameter

可紊 提交于 2019-12-09 08:10:48
问题 I'm trying to implement the Argon2 algorithm in an authentification library. I want to be able to provide some useful tips for the users to set the parameters. While I understand how memory_cost and threads parameters affect the algorithm, I can't seem to wrap my head around the time_cost parameter. What the PHP doc says: time_cost (integer) - Maximum amount of time it may take to compute the Argon2 hash. Defaults to PASSWORD_ARGON2_DEFAULT_TIME_COST. Interrogation 1 - The default value is 2.

hash_pbkdf2 vs password_hash PHP functions

家住魔仙堡 提交于 2019-12-07 14:35:40
问题 As PHP 5.5.0 is out now, Which one is better to use (security, portability, future proof)? It says the password_hash() PASSWORD_DEFAULT may change in each full release (+1.0 or +0.1) so how can we use previously DEFAULT method hashed password with new default? does that mean PHP 5.5 scripts with already hashed passwords in database will not work on PHP 5.6 until users change their passwords? what about COST change (i'm trying to know if servers can be updated to php v5.6, or website admin may

PHP password_hash function salt length 21 or 22?

我们两清 提交于 2019-12-07 11:24:13
问题 Code: echo password_hash("stackoverflow", PASSWORD_DEFAULT, ['salt' => 'twenty-one-characters'] ); Result: Warning: password_hash(): Provided salt is too short: 21 expecting 22 code: echo password_hash("stackoverflow", PASSWORD_DEFAULT, ['salt' => 'twenty-one-charactersA'] ); Result: $2y$10$dHdlbnR5LW9uZS1jaGFyYOVyX13hK9eb4/KXMAkHsAJX..YR7t/32 code: echo password_hash("stackoverflow", PASSWORD_DEFAULT, ['salt' => 'twenty-one-charactersB'] ); $2y$10$dHdlbnR5LW9uZS1jaGFyYOVyX13hK9eb4/KXMAkHsAJX

hash_pbkdf2 vs password_hash PHP functions

北战南征 提交于 2019-12-05 23:41:06
As PHP 5.5.0 is out now, Which one is better to use (security, portability, future proof)? It says the password_hash() PASSWORD_DEFAULT may change in each full release (+1.0 or +0.1) so how can we use previously DEFAULT method hashed password with new default? does that mean PHP 5.5 scripts with already hashed passwords in database will not work on PHP 5.6 until users change their passwords? what about COST change (i'm trying to know if servers can be updated to php v5.6, or website admin may change the hosting provider (and then change COST for weaker/stronger servers), without any problem

PHP password_hash function salt length 21 or 22?

落花浮王杯 提交于 2019-12-05 17:55:13
Code: echo password_hash("stackoverflow", PASSWORD_DEFAULT, ['salt' => 'twenty-one-characters'] ); Result: Warning: password_hash(): Provided salt is too short: 21 expecting 22 code: echo password_hash("stackoverflow", PASSWORD_DEFAULT, ['salt' => 'twenty-one-charactersA'] ); Result: $2y$10$dHdlbnR5LW9uZS1jaGFyYOVyX13hK9eb4/KXMAkHsAJX..YR7t/32 code: echo password_hash("stackoverflow", PASSWORD_DEFAULT, ['salt' => 'twenty-one-charactersB'] ); $2y$10$dHdlbnR5LW9uZS1jaGFyYOVyX13hK9eb4/KXMAkHsAJX..YR7t/32 Question: As you see, by appending A and B to 21 character strings we created two different

Password hashing not working in php mysql

ⅰ亾dé卋堺 提交于 2019-12-02 12:28:14
I am trying to use password hashing using phpmysql. The issue is password_verify does not seem to work for me so far. Say, my password during registration is '123456789'. I stored it in database using password_hash('123456789', PASSWORD_BCRYPT, array('cost' => 12)); And then when I enter '123456789' in the login field, it does nothing, fails. Here is my code: <?php session_start(); include('db.php'); ?> <!DOCTYPE html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" type=

How does password_hash really work?

て烟熏妆下的殇ゞ 提交于 2019-12-02 09:52:51
问题 I am trying to understand password_hash fully in order to be able to explain it for an auditor. Based on my searching for an answer, I understand that the password_hash() function is a wrapper for crypt() . While reading the PHP manual for predefined Constants I see that it uses PASSWORD_BCRYPT as the default integer value (basically it uses the CRYPT_BLOWFISH algorithm to hash a password). What's confusing me is that the $options variable, if omitted, generates a random salt and the cost

PHP password_hash(): Are password hashes portable between systems?

徘徊边缘 提交于 2019-12-02 06:48:40
问题 It is my belief that passwords hashed using PHP's password_hash() function may be transferred to different systems and still be successfully used for verification purposes. It's my understanding that the bcrypt hash contains all the necessary components that, when combined with the plain text password, the given password may be verified. Because of this, the hash can be taken to any system with a compatible implementation and used for verification purposes. I will be trying this out soon, but

How does password_hash really work?

不羁的心 提交于 2019-12-02 02:55:58
I am trying to understand password_hash fully in order to be able to explain it for an auditor. Based on my searching for an answer, I understand that the password_hash() function is a wrapper for crypt() . While reading the PHP manual for predefined Constants I see that it uses PASSWORD_BCRYPT as the default integer value (basically it uses the CRYPT_BLOWFISH algorithm to hash a password). What's confusing me is that the $options variable, if omitted, generates a random salt and the cost will be set to 10 . If I supply a higher cost (for example: 12 ), will it still generate a random salt

PHP password_verify not working against database

帅比萌擦擦* 提交于 2019-12-01 13:23:12
问题 I'm trying to me a page more secure and I started with the password encrypting part of it. I'm trying to implement password_hash + password verify, but so far I've been unsuccessful to make the whole thing work. So, here it is in my login area: $username = mysqli_real_escape_string($connection, $_POST['username']); $password = mysqli_real_escape_string($connection, $_POST['password']); $query = "SELECT username, password FROM `users` WHERE username='$username' and user_enabled='1'"; $result =
订阅 php-password-hash