Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p><code>bcrypt</code> is a hashing algorithm which is scalable with hardware (via a configurable number of rounds). Its slowness and multiple rounds ensures that an attacker must deploy massive funds and hardware to be able to crack your passwords. Add to that per-password <a href="https://en.wikipedia.org/wiki/Salt_%28cryptography%29" rel="noreferrer">salts</a> (<code>bcrypt</code> REQUIRES salts) and you can be sure that an attack is virtually unfeasible without either ludicrous amount of funds or hardware.</p> <p><code>bcrypt</code> uses the <em>Eksblowfish</em> algorithm to hash passwords. While the encryption phase of <em>Eksblowfish</em> and <em>Blowfish</em> are exactly the same, the key schedule phase of <em>Eksblowfish</em> ensures that any subsequent state depends on both salt and key (user password), and no state can be precomputed without the knowledge of both. <strong>Because of this key difference, <code>bcrypt</code> is a one-way hashing algorithm.</strong> You cannot retrieve the plain text password without already knowing the salt, rounds <strong>and key</strong> (password). [<a href="http://www.usenix.org/events/usenix99/provos/provos_html/node4.html" rel="noreferrer">Source</a>]</p> <h1>How to use bcrypt:</h1> <h2>Using PHP >= 5.5-DEV</h2> <p>Password hashing functions <a href="http://php.net/password_hash" rel="noreferrer">have now been built directly into PHP >= 5.5</a>. You may now use <a href="http://php.net/password_hash" rel="noreferrer"><code>password_hash()</code></a> to create a <code>bcrypt</code> hash of any password:</p> <pre><code>&lt;?php // Usage 1: echo password_hash('rasmuslerdorf', PASSWORD_DEFAULT)."\n"; // $2y$10$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx // For example: // $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a // Usage 2: $options = [ 'cost' =&gt; 11 ]; echo password_hash('rasmuslerdorf', PASSWORD_BCRYPT, $options)."\n"; // $2y$11$6DP.V0nO7YI3iSki4qog6OQI5eiO6Jnjsqg7vdnb.JgGIsxniOn4C </code></pre> <p>To verify a user provided password against an existing hash, you may use the <a href="http://php.net/password_verify" rel="noreferrer"><code>password_verify()</code></a> as such:</p> <pre><code>&lt;?php // See the password_hash() example to see where this came from. $hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq'; if (password_verify('rasmuslerdorf', $hash)) { echo 'Password is valid!'; } else { echo 'Invalid password.'; } </code></pre> <h2>Using PHP >= 5.3.7, &lt; 5.5-DEV (also RedHat PHP >= 5.3.3)</h2> <p>There is a <a href="https://github.com/ircmaxell/password_compat" rel="noreferrer">compatibility library</a> on <a href="http://en.wikipedia.org/wiki/GitHub" rel="noreferrer">GitHub</a> created based on the source code of the above functions originally written in C, which provides the same functionality. Once the compatibility library is installed, usage is the same as above (minus the shorthand array notation if you are still on the 5.3.x branch).</p> <h2>Using PHP &lt; 5.3.7 <em>(DEPRECATED)</em></h2> <p>You can use <code>crypt()</code> function to generate bcrypt hashes of input strings. This class can automatically generate salts and verify existing hashes against an input. <strong>If you are using a version of PHP higher or equal to 5.3.7, it is highly recommended you use the built-in function or the compat library</strong>. This alternative is provided only for historical purposes.</p> <pre><code>class Bcrypt{ private $rounds; public function __construct($rounds = 12) { if (CRYPT_BLOWFISH != 1) { throw new Exception("bcrypt not supported in this installation. See http://php.net/crypt"); } $this-&gt;rounds = $rounds; } public function hash($input){ $hash = crypt($input, $this-&gt;getSalt()); if (strlen($hash) &gt; 13) return $hash; return false; } public function verify($input, $existingHash){ $hash = crypt($input, $existingHash); return $hash === $existingHash; } private function getSalt(){ $salt = sprintf('$2a$%02d$', $this-&gt;rounds); $bytes = $this-&gt;getRandomBytes(16); $salt .= $this-&gt;encodeBytes($bytes); return $salt; } private $randomState; private function getRandomBytes($count){ $bytes = ''; if (function_exists('openssl_random_pseudo_bytes') &amp;&amp; (strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN')) { // OpenSSL is slow on Windows $bytes = openssl_random_pseudo_bytes($count); } if ($bytes === '' &amp;&amp; is_readable('/dev/urandom') &amp;&amp; ($hRand = @fopen('/dev/urandom', 'rb')) !== FALSE) { $bytes = fread($hRand, $count); fclose($hRand); } if (strlen($bytes) &lt; $count) { $bytes = ''; if ($this-&gt;randomState === null) { $this-&gt;randomState = microtime(); if (function_exists('getmypid')) { $this-&gt;randomState .= getmypid(); } } for ($i = 0; $i &lt; $count; $i += 16) { $this-&gt;randomState = md5(microtime() . $this-&gt;randomState); if (PHP_VERSION &gt;= '5') { $bytes .= md5($this-&gt;randomState, true); } else { $bytes .= pack('H*', md5($this-&gt;randomState)); } } $bytes = substr($bytes, 0, $count); } return $bytes; } private function encodeBytes($input){ // The following is code from the PHP Password Hashing Framework $itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; $output = ''; $i = 0; do { $c1 = ord($input[$i++]); $output .= $itoa64[$c1 &gt;&gt; 2]; $c1 = ($c1 &amp; 0x03) &lt;&lt; 4; if ($i &gt;= 16) { $output .= $itoa64[$c1]; break; } $c2 = ord($input[$i++]); $c1 |= $c2 &gt;&gt; 4; $output .= $itoa64[$c1]; $c1 = ($c2 &amp; 0x0f) &lt;&lt; 2; $c2 = ord($input[$i++]); $c1 |= $c2 &gt;&gt; 6; $output .= $itoa64[$c1]; $output .= $itoa64[$c2 &amp; 0x3f]; } while (true); return $output; } } </code></pre> <p>You can use this code like this:</p> <pre><code>$bcrypt = new Bcrypt(15); $hash = $bcrypt-&gt;hash('password'); $isGood = $bcrypt-&gt;verify('password', $hash); </code></pre> <p>Alternatively, you may also use the <a href="http://www.openwall.com/phpass/" rel="noreferrer">Portable PHP Hashing Framework</a>.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload