The RFC for a new simple to use password hashing API has just been accepted for PHP 5.5. As the RFC itself is rather technical and most of the sample codes are something you should not use, I want to give a very quick overview of the new API:
Everybody knows that you should be hashing their passwords using bcrypt, but still a surprising number of developers uses insecure md5 or sha1 hashes (just look at the recent password leaks). One of the reasons for this is that the crypt() API is ridiculously hard to use and very prone to programming mistakes.
By adding a new, very simple to use API we hope to move more developers towards bcrypt.
Creating password hashes can't be any simpler than this:
$hash = password_hash($password, PASSWORD_DEFAULT);
This will create a password hash using the default algorithm (currently bcrypt), the default load factor (currently 10) and an automatically generated salt. The used algorithm and salt will also be part of the resulting hash, so you don't need to worry about them at all ;)
If you don't want to stick with the defaults (which might change in the future), you can also provide algorithm and load factor yourself:
$hash = password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]);
Verifying passwords is just as easy:
<?php
// $password from user, $hash from database
if (password_verify($password, $hash)) {
// password valid!
} else {
// wrong password :(
}
Remember: The salt and algorithm are part of the hash, so you don't need to provide them separately.
As time goes by you might want to change the password hashing algorithm or load factor, or PHP may change the defaults to be more secure. In this case new accounts should be created using the new options and existing passwords rehashed on login (you can do this only on login because you need the original password to do a rehash).
Doing this is also very simple:
<?php
function password_verify_with_rehash($password, $hash) {
if (!password_verify($password, $hash)) {
return false;
}
if (password_needs_rehash($hash, PASSWORD_DEFAULT)) {
$hash = password_hash($password, PASSWORD_DEFAULT);
// update hash in database
}
return true;
}
The above snippet will keep your hashes up to date with the PHP default. But once again you can also specify custom options, e.g. password_needs_rehash($hash, PASSWORD_BCRYPT, ['cost' => 12'])
.
The new API will only be introduced in PHP 5.5, but you can already use a PHP implementation of the same API now! The compatibility implementation will automatically disable itself once you upgrade to 5.5.
hello, first of all, nice post! My question is: now that we have a specific function for password hash, the best method for verifying if the user is logged in some system is still by using sessions? or there's a better way on some new 5.5 functions? Thanks in advance!