»_

2013-09-27 11:09:40

PHP 5.5 "Password Hashing API"

Share

Categories php security passwords

PHP version 5.5.0 has finally been released. About new features you can read here. There are a lot of articles regarding PHP 5.5.0 but since I haven't found much about "Password Hashing API", lets talk a little bit about it. The main difference of the new API is that it is in charge of generating reliable hashes, hiding from the developer operations like adding salt and chosing algorithm to use (by default it is Bcrypt).
Creating a new hash in done like "$hash = password_hash($password, PASSWORD_DEFAULT);" and checking it by calling "password_verifiy($password, $hash)". This new API was developed due to lazy approach by many developers with salt generation and usage of weak algorithms of hashing.
Lets us look at constants, functions and some code.

[ Constants ]

PASSWORD_BCRYPT (integer) = 1
PASSWORD_BCRYPT is used to create a new password hash with CRYPT_BLOWFISH algorythm (link here).

PASSWORD_DEFAULT (integer) = PASSWORD_BCRYPT
It is used as default hash algorithm if none is given. May be changed in a newer PHP version when new and more effective hashing algorithms are introduced (like Scrypt for example).

[ Functions ]

array password_get_info ( string $hash ) — Give information about the hash hash

  • hash created with password_hash().
» Returns an array with three elements (keys):
  • algorithm (algo) as a constant name
  • algorith name (algoName) which has human readable name
  • array (options) with all the available options when calling password_hash()


string password_hash ( string $password, integer $algo [, array $options ] ) — Create a new password hash.
  • password - user password.
  • algo - algorithm constant or none (will use default value).
  • options - array with options. Now only accepts salt and and cost (how much resources are needed in order to create the hash).

Will return password hash or FALSE if error occurs.



boolean password_needs_rehash ( string $hash, string $algo [, string $options ] ) — Checks if current hash matches given algorithm and options.
  • hash - hash created with password_hash().
  • algo - algorithm constant or none (will use default value).
  • options - array with options. Now only accepts salt and and cost (how much resources are needed in order to create the hash).

If fails, it will return TRUE meaning that the hash has to be changed.



boolean password_verify ( string $password, string $hash ) — Checks if current password matches the hash.
  • password - user password.
  • hash - hash created with password_hash().

Returns TRUE if the password / hash match each other. FALSE otherwise.

[ Code and results ]
 
$options = [
     'cost' => 7,
     'salt' => 'MyCustomBigSaltStringYeah',
];

$hash['hash'][] = password_hash("kennyslabs", PASSWORD_BCRYPT, $options);
$hash['hash'][] = password_hash("kennyslabs", PASSWORD_DEFAULT);

$hash['info'][] = password_get_info($hash['hash'][0]);
$hash['info'][] = password_get_info($hash['hash'][1]);

$hash['rehash'][] = password_needs_rehash($hash['hash'][0],PASSWORD_BCRYPT,$options);
$hash['rehash'][] = password_needs_rehash($hash['hash'][0],PASSWORD_DEFAULT);  
$hash['rehash'][] = password_needs_rehash($hash['hash'][1],PASSWORD_DEFAULT);  

$hash['pas_verify'][] = password_verify('kennyslabs', $hash['hash'][0]);
$hash['pas_verify'][] = password_verify('kennyslabs', $hash['hash'][1]);  
$hash['pas_verify'][] = password_verify('kennyslabsf', $hash['hash'][0]);
$hash['pas_verify'][] = password_verify('kennyslabsf', $hash['hash'][1]);

var_dump($hash);
 
array(4) {
  ["hash"]=>
  array(2) {
    [0]=> string(60) "$2y$07$MyCustomBigSaltStringOscicoiOaVV0WVuA7AbnjOdaXpVjgziS"
    [1]=> string(60) "$2y$10$/xbSztdBtLFzgLt37nfoa.SzwfBa1.ruBH5m1nwbm0Nz2u32ML2sa"
  }
  ["info"]=>
  array(2) {
    [0]=>
    array(3) {
      ["algo"]=> int(1)
      ["algoName"]=> string(6) "bcrypt"
      ["options"]=>
        array(1) {
          ["cost"]=> int(7)
        }
    }
    [1]=>
    array(3) {
      ["algo"]=> int(1)
      ["algoName"]=> string(6) "bcrypt"
      ["options"]=>
        array(1) {
          ["cost"]=> int(10)
        }
    }
  }
  ["rehash"]=>
    array(3) {
      [0]=> bool(false)
      [1]=> bool(true)
      [2]=> bool(false)
    }
  ["pas_verify"]=>
    array(4) {
      [0]=> bool(true)
      [1]=> bool(true)
      [2]=> bool(false)
      [3]=> bool(false)
    }
}
 
Version System time User time Max. memory usage
5.5.0alpha1 0,018 s 0,267 s 12,152 MiB
5.5.0alpha2 0,018 s 0,267 s 12,148 MiB
5.5.0alpha3 0,015 s 0,271 s 12,148 MiB
5.5.0alpha4 0,019 s 0,268 s 12,164 MiB
5.5.0alpha5 0,014 s 0,270 s 12,195 MiB
5.5.0alpha6 0,016 s 0,304 s 12,219 MiB
5.5.0beta1 0,017 s 0,270 s 12,270 MiB
5.5.0beta2 0,027 s 0,294 s 12,270 MiB
5.5.0beta3 0,022 s 0,265 s 12,656 MiB
5.5.0beta4 0,016 s 0,299 s 12,656 MiB
5.5.0 0.020 s 0.328 s 12,680 MiB

This functions can be used already in pre 5.5.0 PHP verions. You just need to use this code written by Anthony Ferrrara: github.com/ircmaxell/password_compat/blob/master/lib/password.php (PHP> = 5.3.7 ).

Hope this helps.

1 responses to "PHP 5.5 "Password Hashing API""

Leave a comment