Securing Passwords

Now that you've made it this far, it's time to create the user, 0:00 since all of our checks have passed. 0:03 We do, however, need to work with our password a little bit more. 0:06 PHP has a nice feature that we can use for our password hashing and 0:10 verification, and it's built into the core. 0:14 We'll be using password hash to actually create the password that we'll store in 0:19 the database. 0:24 This function will create a single direction hash. 0:25 Meaning this hash cannot be reversed to see the plain text password. 0:29 The password hash function takes in some properties. 0:33 The first property is the plain text password. 0:37 The next property defines what algorithm you want to use. 0:40 I suggest that you leave this set as password default, 0:45 since PHP will update to a new default if a better algorithm exists, or is created. 0:48 Currently the algorithm that is used is the bcrypt algorithm, 0:54 which will produce a modular crypt format, MCF password. 0:59 The final property is an array of options. 1:04 We'll be using all the default options for this project, but to learn more, 1:07 you can find information in the notes associated with this video. 1:11 Let's take a quick look at what a password in MCF format looks like. 1:16 That way you'll be familiar with the format when you see the password stored 1:21 this way. 1:25 The $2y$ states that this is a bcrypt hash in modular crypt format. 1:25 Modular crypt format, or MCF, is a standard for 1:33 encoding password hash strings. 1:37 Other options the password may start with are 2a or 2b. 1:40 The next part of the hash is the cost. 1:45 This defines how many iterations over the hashing you want. 1:48 This iteration count will be two times the cost value. 1:53 Typically, this cost is ten and is fine. 1:57 But if your computer hardware can handle more, you can increase this value. 2:00 Third in the string is the actual salt that is used for hashing. 2:05 The last part of the string is the resulting hash. 2:08 The plain text of the user's password is never stored. 2:12 Once you put all that together, you will receive a 60-character string that 2:16 you can safely store in your database. 2:21 Now with our understanding of password hash, we can hash our password for 2:24 use in our database. 2:29 Inside of our doRegister procedure, 2:30 we're going to add $hashed = password_hash, 2:35 And the password with PASSWORD_DEFAULT. 2:42 We're now ready to add the user to the database. 2:50 Once again, the function we'll need is in our Functions_users file. 2:54 We're going to create a user. 3:04 We pass the username and the password. 3:07 Inside this function, we also have a role_id. 3:11 We'll be using a role_id of 2 for general users, and 3:14 a role_id of 1 for administrators. 3:18 You can see here that new registered users will all be set to a general user. 3:22 We'll go into more detail when we talk about the authorization. 3:28 This function uses the find user by username function to return 3:33 the user if the user wasn't created. 3:38 Let's use this function in our procedure. 3:40 Will set $user = createUser, and 3:46 we'll pass the username and our $hashed password. 3:50 We'll make use of this user after we handle login, but for now, 3:59 we need to add a flash message and redirect the user to the homepage. 4:03 We'll add $session-> getFlashBag(). 4:08 And this time, we'll add success. 4:14 And say, User Added. 4:20 Then we'll redirect to the homepage. 4:25 Let's try adding a user. 4:31 Admin and the password. 4:36 First make sure they don't match, perfect. 4:43 And then, user. 4:46 And matching passwords. 4:49 Great, it tells us that our user has been added, but we can't log in yet. 4:53 Let's look at that next. 4:58