Preview

Start a free Courses trial
to watch this video

Securing Passwords

Name: Securing Passwords
Uploaded: 2019-03-13T11:32:25Z
Duration: 301 s
Description: There are many ways a user can secure their passwords when storing them in a database, however, bcrypt is the defacto standard.

5:01 with Alena Holligan

There are many ways a user can secure their passwords when storing them in a database, however, bcrypt is the defacto standard.

Teacher's Notes
Video Transcript
Downloads

Additional Practice

Practice Hashing Passwords in PHP

Documentation

password_hash() - PASSWORD_DEFAULT currently defaults to PASSWORD_BCRYPT and is used to create new password hashes using the CRYPT_BLOWFISH algorithm.

This will always result in a hash using the "$2y$" crypt format, which is always 60 characters wide.

Supported Options:

salt - to manually provide a salt to use when hashing the password. Note that this will override and prevent a salt from being automatically generated. If omitted, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation.
cost - which denotes the algorithmic cost that should be used. Examples of these values can be found on the crypt() page. If omitted, a default value of 10 will be used. This is a good baseline cost, but you may want to consider increasing it depending on your hardware.

More about the Modular Crypt Format (MCF)

Now that you've made it this far, it's time to create the user, 0:00

since all of our checks have passed. 0:03

We do, however, need to work with our password a little bit more. 0:06

PHP has a nice feature that we can use for our password hashing and 0:10

verification, and it's built into the core. 0:14

We'll be using password hash to actually create the password that we'll store in 0:19

the database. 0:24

This function will create a single direction hash. 0:25

Meaning this hash cannot be reversed to see the plain text password. 0:29

The password hash function takes in some properties. 0:33

The first property is the plain text password. 0:37

The next property defines what algorithm you want to use. 0:40

I suggest that you leave this set as password default, 0:45

since PHP will update to a new default if a better algorithm exists, or is created. 0:48

Currently the algorithm that is used is the bcrypt algorithm, 0:54

which will produce a modular crypt format, MCF password. 0:59

The final property is an array of options. 1:04

We'll be using all the default options for this project, but to learn more, 1:07

you can find information in the notes associated with this video. 1:11

Let's take a quick look at what a password in MCF format looks like. 1:16

That way you'll be familiar with the format when you see the password stored 1:21

this way. 1:25

The $2y$ states that this is a bcrypt hash in modular crypt format. 1:25

Modular crypt format, or MCF, is a standard for 1:33

encoding password hash strings. 1:37

Other options the password may start with are 2a or 2b. 1:40

The next part of the hash is the cost. 1:45

This defines how many iterations over the hashing you want. 1:48

This iteration count will be two times the cost value. 1:53

Typically, this cost is ten and is fine. 1:57

But if your computer hardware can handle more, you can increase this value. 2:00

Third in the string is the actual salt that is used for hashing. 2:05

The last part of the string is the resulting hash. 2:08

The plain text of the user's password is never stored. 2:12

Once you put all that together, you will receive a 60-character string that 2:16

you can safely store in your database. 2:21

Now with our understanding of password hash, we can hash our password for 2:24

use in our database. 2:29

Inside of our doRegister procedure, 2:30

we're going to add $hashed = password_hash, 2:35

And the password with PASSWORD_DEFAULT. 2:42

We're now ready to add the user to the database. 2:50

Once again, the function we'll need is in our Functions_users file. 2:54

We're going to create a user. 3:04

We pass the username and the password. 3:07

Inside this function, we also have a role_id. 3:11

We'll be using a role_id of 2 for general users, and 3:14

a role_id of 1 for administrators. 3:18

You can see here that new registered users will all be set to a general user. 3:22

We'll go into more detail when we talk about the authorization. 3:28

This function uses the find user by username function to return 3:33

the user if the user wasn't created. 3:38

Let's use this function in our procedure. 3:40

Will set $user = createUser, and 3:46

we'll pass the username and our $hashed password. 3:50

We'll make use of this user after we handle login, but for now, 3:59

we need to add a flash message and redirect the user to the homepage. 4:03

We'll add $session-> getFlashBag(). 4:08

And this time, we'll add success. 4:14

And say, User Added. 4:20

Then we'll redirect to the homepage. 4:25

Let's try adding a user. 4:31

Admin and the password. 4:36

First make sure they don't match, perfect. 4:43

And then, user. 4:46

And matching passwords. 4:49

Great, it tells us that our user has been added, but we can't log in yet. 4:53

Let's look at that next. 4:58

You need to sign up for Treehouse in order to download course files.

Introduction to User Authentication in PHP

Securing Passwords

Additional Practice

Documentation