PHP 5.5 is intended to reduce password-sloppiness

PHP version 5.5 will bring an API that helps administrators securely store passwords. With their help, you can create with just one line of code a secure, salted password hash after the bcrypt method:

$ hash = password_hash ($ password, PASSWORD_DEFAULT);

Salt is a need to take care not, it will be installed automatically and adds the password to a random component. Verifying the password is just as easy:

password_verify ($ password, $ hash);

Get the generated hashes times in the wrong hands, the data thief can reconstruct the corresponding plaintext passwords only with considerable effort - provided the passwords are long enough. The hash method is Bcrypt one being very computationally intensive and requires a lot of memory to another, making it difficult to crack with GPUs. A computer with eight CPU cores can just generate around 5,000 hashes per second, a current GPU delivers similar results. By comparison with these SHA1 values ​​are usually more in the tens of millions.

Through the use of Salts, the use of rainbow tables are shallow. If you want, the hash function also specify your own Salt affect the complexity of Bcrypt (cost) or change the hashing method. These settings stored with the API in the hash variable.

In the past, again and again database extracts renowned Webseits have fallen into the network, which has been known to save the provider the passwords of their users either as unsalted hashes or even in plain text. With the new API admins for such sloppiness now no more excuses - much easier it can not be. Who does not want to wait until PHP 5.5, the API can already download at Github.

No comments:

Post a Comment