Bummer! This is just a preview. You need to be signed in with a Basic account to view the entire video.

Preview

Start a free Basic trial
to watch this video

Sign up for Treehouse

Securing Passwords

5:01 with Alena Holligan

There are many ways a user can secure their passwords when storing them in a database, however, bcrypt is the defacto standard.

Additional Practice

Practice Hashing Passwords in PHP

Documentation

password_hash() - PASSWORD_DEFAULT currently defaults to PASSWORD_BCRYPT and is used to create new password hashes using the CRYPT_BLOWFISH algorithm.

This will always result in a hash using the "$2y$" crypt format, which is always 60 characters wide.

Supported Options:

  • salt - to manually provide a salt to use when hashing the password. Note that this will override and prevent a salt from being automatically generated. If omitted, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation.
  • cost - which denotes the algorithmic cost that should be used. Examples of these values can be found on the crypt() page. If omitted, a default value of 10 will be used. This is a good baseline cost, but you may want to consider increasing it depending on your hardware.

More about the Modular Crypt Format (MCF)

  • 0:00

    Now that you've made it this far, it's time to create the user,

  • 0:03

    since all of our checks have passed.

  • 0:06

    We do, however, need to work with our password a little bit more.

  • 0:10

    PHP has a nice feature that we can use for our password hashing and

  • 0:14

    verification, and it's built into the core.

  • 0:19

    We'll be using password hash to actually create the password that we'll store in

  • 0:24

    the database.

  • 0:25

    This function will create a single direction hash.

  • 0:29

    Meaning this hash cannot be reversed to see the plain text password.

  • 0:33

    The password hash function takes in some properties.

  • 0:37

    The first property is the plain text password.

  • 0:40

    The next property defines what algorithm you want to use.

  • 0:45

    I suggest that you leave this set as password default,

  • 0:48

    since PHP will update to a new default if a better algorithm exists, or is created.

  • 0:54

    Currently the algorithm that is used is the bcrypt algorithm,

  • 0:59

    which will produce a modular crypt format, MCF password.

  • 1:04

    The final property is an array of options.

  • 1:07

    We'll be using all the default options for this project, but to learn more,

  • 1:11

    you can find information in the notes associated with this video.

  • 1:16

    Let's take a quick look at what a password in MCF format looks like.

  • 1:21

    That way you'll be familiar with the format when you see the password stored

  • 1:25

    this way.

  • 1:25

    The $2y$ states that this is a bcrypt hash in modular crypt format.

  • 1:33

    Modular crypt format, or MCF, is a standard for

  • 1:37

    encoding password hash strings.

  • 1:40

    Other options the password may start with are 2a or 2b.

  • 1:45

    The next part of the hash is the cost.

  • 1:48

    This defines how many iterations over the hashing you want.

  • 1:53

    This iteration count will be two times the cost value.

  • 1:57

    Typically, this cost is ten and is fine.

  • 2:00

    But if your computer hardware can handle more, you can increase this value.

  • 2:05

    Third in the string is the actual salt that is used for hashing.

  • 2:08

    The last part of the string is the resulting hash.

  • 2:12

    The plain text of the user's password is never stored.

  • 2:16

    Once you put all that together, you will receive a 60-character string that

  • 2:21

    you can safely store in your database.

  • 2:24

    Now with our understanding of password hash, we can hash our password for

  • 2:29

    use in our database.

  • 2:30

    Inside of our doRegister procedure,

  • 2:35

    we're going to add $hashed = password_hash,

  • 2:42

    And the password with PASSWORD_DEFAULT.

  • 2:50

    We're now ready to add the user to the database.

  • 2:54

    Once again, the function we'll need is in our Functions_users file.

  • 3:04

    We're going to create a user.

  • 3:07

    We pass the username and the password.

  • 3:11

    Inside this function, we also have a role_id.

  • 3:14

    We'll be using a role_id of 2 for general users, and

  • 3:18

    a role_id of 1 for administrators.

  • 3:22

    You can see here that new registered users will all be set to a general user.

  • 3:28

    We'll go into more detail when we talk about the authorization.

  • 3:33

    This function uses the find user by username function to return

  • 3:38

    the user if the user wasn't created.

  • 3:40

    Let's use this function in our procedure.

  • 3:46

    Will set $user = createUser, and

  • 3:50

    we'll pass the username and our $hashed password.

  • 3:59

    We'll make use of this user after we handle login, but for now,

  • 4:03

    we need to add a flash message and redirect the user to the homepage.

  • 4:08

    We'll add $session-> getFlashBag().

  • 4:14

    And this time, we'll add success.

  • 4:20

    And say, User Added.

  • 4:25

    Then we'll redirect to the homepage.

  • 4:31

    Let's try adding a user.

  • 4:36

    Admin and the password.

  • 4:43

    First make sure they don't match, perfect.

  • 4:46

    And then, user.

  • 4:49

    And matching passwords.

  • 4:53

    Great, it tells us that our user has been added, but we can't log in yet.

  • 4:58

    Let's look at that next.

You need to sign up for Treehouse in order to download course files.

Sign up