- Registration System 6:08
- Securing Passwords 5:38
- Login Systems 4:53
- Building a JWT 4:52
- Authentication Review 5 questions
- Working with Cookies 4:24
- Require Authentication 5:22
- Logging Out 3:13
- Flash Messages 5:29
- Cookies and Flash Messages 3 questions
- User Profile 9:30
- Reset Password 4:42
- Password Hashing 1 objective
Preview
Video Player
00:00
00:00
Securing Passwords
5:38There are many ways a user can secure their passwords when storing them in a database, however bcrypt is the defacto standard.
It's now time to create the user,
since all our checks have passed.
0:00
We do however need to work with
our password a little bit.
0:04
PHP has a nice feature that we can use for
password hashing and for verification.
0:08
We'll be using password
hash to actually create
0:14
the password we store in the database.
0:17
This method will create
a single direction hash,
0:19
meaning this hash cannot be reversed
to see the plain text password.
0:23
The password hash function,
takes in some properties.
0:28
The first property is
the Plain text password.
0:31
The next property defines what
algorithm you want to use.
0:35
I suggest that you leave this as
password default since PHP will update
0:39
to a new default for you if the better
algorithm exists or is created.
0:44
Currently the algorithm
that is used is B crypt,
0:50
which will produce a modular
crypt format password.
0:53
The final property is an array of options.
0:56
We'll be using all the default options for
this project, but
1:00
to learn more,
you can find information in the notes.
1:03
Let's take a quick look at what a password
in modular crypt format looks like.
1:07
[SOUND] The first part states that this is
a B crypt hash in Modular Crypt Format.
1:12
Modular Crypt Format or MCF is a standard
for encoding password hash strings,
1:17
other options the password
may start with are 2A or 2B.
1:24
The next part of the hash is the cost.
1:29
This defines how many iteration
is over the hashing you want.
1:32
This iteration count will be two
to the exponent of cost value.
1:36
Typically, this cost is ten and
that's fine.
1:40
But if your computer hardware can handle
more you can increase this value.
1:43
Third in the string is the saw
that is used for hashing.
1:48
The last part of the string
is the resulting hash.
1:52
The plain text of the user
password is never stored.
1:55
Once you put all that together, you
will receive a 60 character string that
1:59
you can safely store in your database.
2:04
Now with our understanding
of password hash,
2:06
we can hash our password for
use in our database.
2:09
Inside our do register procedure.
2:13
We're going to add
$hashed = password_hash,
2:15
we'lll pass password, and
2:24
then PASSWORD_DEFAULT.
2:29
Next, let's add a new
function called createUser.
2:34
We'll need the email and the password.
2:48
Again start with global $db,
And our try to catch block.
2:55
And we'll throw our exception.
3:16
For our query,
we're going to INSERT INTO USERS.
3:22
Email, password, and role_id.
3:29
We'll be using a role ID of two for
general users and a role ID of one for
3:35
administrators.
3:40
There will be more on this coming up
when we talk about authorization.
3:41
For our values,
3:46
we'll use email,
3:50
password and 2.
3:54
Prepare our query.
4:06
And bind the values
4:11
Then we execute.
4:39
And we'll return findUserByEmail and
4:42
pass the email.
4:48
This function will now return
the user if the user was created.
4:51
Let's use this function in our procedure.
4:55
$user = createUser($email,
5:02
$hashed);.
5:08
We'll make use of this user
after we handle our login.
5:11
For now, we'll just redirect
the user back to the home page,
5:15
redirect back to the home page.
5:20
Let's go back to the browser and
register a user.
5:23