Saturday, October 21, 2017

Secure User Password In Login and Registration Page - password_hash() & password_verify()

password_hash and password_verify

In this post, we are providing some techniques and ideas to secure you webpage login and registration page. Now a days security is more important to all of us as it protects website from unauthorized access.
Here we will share some information in which you learn how to secure user password field of login page using PHP language. To secure user password field  in login and registration page, we are using two PHP functions, which are as follows :
  1. password_hash() Function.
  2. password_verify() Function.
Lets see the example for php password hash and verify

password_hash()

password_hash() creates a new password hash using a strong one-way hashing algorithm. Also password_hash() is compatible with crypt(). Therefore, password hashes created by crypt() can be used with password_hash().

Syntax:
string password_hash ( string $password , integer $algo [, array $options ] )

NOTE : Currently we are using PASSWORD_BCRYPT algorithm to create the hash. Best part is that produces a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, or FALSE on failure.

password_verify() 

It verifies that the given hash matches with given password. If the password and hash match found then it will return True, otherwise it will return False.

Syntax:
boolean password_verify ( string $password , string $hash )

Follow the below steps :

Step : 1
After the complete registration process, you have users credential details in your database. Then next thing you have to perform is that Fetch password from the database and pass the password in password_hash() function using PASSWORD_BCRYPT encryption.

echo $hash = password_hash("waypluspassword", PASSWORD_BCRYPT);

Step : 2 
Here we are comparing the entered password from html form with above hash key result ( e.g $hash ). For the comparison purpose we are using pre-define PHP function password_verify().

$password = "waypluspassword"; // get the password from html form

if (password_verify($password, $hash)) {
   
   // Verified
   echo "<br>"." Password Match Found";
}
else{
 // Not Verified
 echo "<br>"." Password Match not Found";
}

Note : Incorporate login script using this method, This method helps you to secure the password field of html form.

Complete Code :

Example

<?php
//Note that we also switched to BCRYPT, which will always be 60 characters.
// Get the password from database and 
//pass it out to password_hash() function, convert the password to hash
echo $hash = password_hash("waypluspassword", PASSWORD_BCRYPT);

//get the password from the form request and 
//pass it out to password_verify() function to 
//verify the entered password with stored password present in database.
$password = "waypluspassword";

if (password_verify($password, $hash)) {
   
   // Verified
   echo "<br>"." Password Match Found";
}
else{
 // Not Verified
 echo "<br>"." Password Match not Found";
}

?>



No comments:

Post a Comment