Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

Introduction to User Authentication in PHP

Preview

Start a free Courses trial
to watch this video

Sign up for Treehouse

Securing Passwords

5:01 with Alena Holligan

There are many ways a user can secure their passwords when storing them in a database, however, bcrypt is the defacto standard.

Additional Practice

Practice Hashing Passwords in PHP

Documentation

password_hash() - PASSWORD_DEFAULT currently defaults to PASSWORD_BCRYPT and is used to create new password hashes using the CRYPT_BLOWFISH algorithm.

This will always result in a hash using the "$2y$" crypt format, which is always 60 characters wide.

Supported Options:

  • salt - to manually provide a salt to use when hashing the password. Note that this will override and prevent a salt from being automatically generated. If omitted, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation.
  • cost - which denotes the algorithmic cost that should be used. Examples of these values can be found on the crypt() page. If omitted, a default value of 10 will be used. This is a good baseline cost, but you may want to consider increasing it depending on your hardware.

More about the Modular Crypt Format (MCF)

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

    Related Discussions

    Have questions about this video? Start a discussion with the community and Treehouse staff.

    Sign up

    Now that you've made it this far, it's time to create the user, 0:00
    since all of our checks have passed. 0:03
    We do, however, need to work with our password a little bit more. 0:06
    PHP has a nice feature that we can use for our password hashing and 0:10
    verification, and it's built into the core. 0:14
    We'll be using password hash to actually create the password that we'll store in 0:19
    the database. 0:24
    This function will create a single direction hash. 0:25
    Meaning this hash cannot be reversed to see the plain text password. 0:29
    The password hash function takes in some properties. 0:33
    The first property is the plain text password. 0:37
    The next property defines what algorithm you want to use. 0:40
    I suggest that you leave this set as password default, 0:45
    since PHP will update to a new default if a better algorithm exists, or is created. 0:48
    Currently the algorithm that is used is the bcrypt algorithm, 0:54
    which will produce a modular crypt format, MCF password. 0:59
    The final property is an array of options. 1:04
    We'll be using all the default options for this project, but to learn more, 1:07
    you can find information in the notes associated with this video. 1:11
    Let's take a quick look at what a password in MCF format looks like. 1:16
    That way you'll be familiar with the format when you see the password stored 1:21
    this way. 1:25
    The $2y$ states that this is a bcrypt hash in modular crypt format. 1:25
    Modular crypt format, or MCF, is a standard for 1:33
    encoding password hash strings. 1:37
    Other options the password may start with are 2a or 2b. 1:40
    The next part of the hash is the cost. 1:45
    This defines how many iterations over the hashing you want. 1:48
    This iteration count will be two times the cost value. 1:53
    Typically, this cost is ten and is fine. 1:57
    But if your computer hardware can handle more, you can increase this value. 2:00
    Third in the string is the actual salt that is used for hashing. 2:05
    The last part of the string is the resulting hash. 2:08
    The plain text of the user's password is never stored. 2:12
    Once you put all that together, you will receive a 60-character string that 2:16
    you can safely store in your database. 2:21
    Now with our understanding of password hash, we can hash our password for 2:24
    use in our database. 2:29
    Inside of our doRegister procedure, 2:30
    we're going to add $hashed = password_hash, 2:35
    And the password with PASSWORD_DEFAULT. 2:42
    We're now ready to add the user to the database. 2:50
    Once again, the function we'll need is in our Functions_users file. 2:54
    We're going to create a user. 3:04
    We pass the username and the password. 3:07
    Inside this function, we also have a role_id. 3:11
    We'll be using a role_id of 2 for general users, and 3:14
    a role_id of 1 for administrators. 3:18
    You can see here that new registered users will all be set to a general user. 3:22
    We'll go into more detail when we talk about the authorization. 3:28
    This function uses the find user by username function to return 3:33
    the user if the user wasn't created. 3:38
    Let's use this function in our procedure. 3:40
    Will set $user = createUser, and 3:46
    we'll pass the username and our $hashed password. 3:50
    We'll make use of this user after we handle login, but for now, 3:59
    we need to add a flash message and redirect the user to the homepage. 4:03
    We'll add $session-> getFlashBag(). 4:08
    And this time, we'll add success. 4:14
    And say, User Added. 4:20
    Then we'll redirect to the homepage. 4:25
    Let's try adding a user. 4:31
    Admin and the password. 4:36
    First make sure they don't match, perfect. 4:43
    And then, user. 4:46
    And matching passwords. 4:49
    Great, it tells us that our user has been added, but we can't log in yet. 4:53
    Let's look at that next. 4:58

    You need to sign up for Treehouse in order to download course files.

    Sign up

      You need to sign up for Treehouse in order to set up Workspace

      Sign up