Wern Ancheta

Adventures in Web Development.

Securing Passwords in PHP

| Comments

In this tutorial we’re going to take a look at some of the libraries that allows us secure passwords in PHP.

Password Compat

The first library that we’re going to look at is Password Compat. You can install it through Composer by using the following command.

1
composer require ircmaxell/password-compat

Once it’s done installing, you can the include the vendor autoload file so you can use its functions.

1
2
3
<?php
require_once 'vendor/autoload.php';
?>

The password_hash function is used to hash passwords. It accepts the password that you want to hash as its first argument and the algorithm to be used for password hashing as its second. In the example below, PASSWORD_DEFAULT is used. This allows you to use the most secure algorithm that’s currently available to PHP. At the time of writing of this article, the most secure algorithm that’s available to PHP is bcrypt. So that’s the one that’s being used when you specify PASSWORD_DEFAULT as the second argument.

1
2
3
4
<?php
$password = 'mypassword';
$hash = password_hash($password, PASSWORD_DEFAULT);
?>

There’s also an optional third argument which allows you to change the CPU cost of hashing the password. By default the cost is 10. So if you have a less powerful server you can change it to something lower. The cost can have a value between 4 and 31.

1
2
3
<?php
$hash = password_hash($password, PASSWORD_DEFAULT, array('cost' => 7));
?>

You can then store the hash in your database.

To validate if a password matches the hash stored in the database, use the password_verify method. This accepts the password as the first argument and the hash as the second. So in your application you might have a query to select the user based on its email or username and then you use the hash that was returned for the second argument.

1
2
3
4
5
6
7
<?php
if(password_verify($password, $hash)){
    echo 'valid';
}else{
    echo 'invalid';
}
?>

PHPAss

PHPAss is one of the older password hashing libraries that are available for PHP. Nevertheless it doesn’t make it less secure than any of the password securing methods in this article. It uses the blowfish algorithm to hash passwords.

Execute the following to install PHPAss.

1
composer require hautelook/phpass

After including the vendor autoload file, set your current file to use the PasswordHash class in the Hautelook namespace.

1
2
3
<?php
use Hautelook\Phpass\PasswordHash;
?>

Create a new password hasher instance. This accepts 2 required arguments. First is the base-2 logarithm of the iteration count used for password stretching. The second a boolean value for setting if the password will use portable hashes. The values that I’ve set below are the default one’s. Those will do for most use cases.

1
2
3
<?php
$passwordHasher = new PasswordHash(8, false);
?>

You can then call the HashPassword method to actually hash the password. This hash should then be stored into the database.

1
2
3
4
<?php
$password = 'mypassword';
$hash = $passwordHasher->HashPassword($password);
?>

You can check if a password is valid by using the CheckPassword method. This accepts the password as its first argument and the hash that came from the database as the second.

1
2
3
4
5
6
7
8
<?php
$passwordMatch = $passwordHasher->CheckPassword($password, $hash);
if($passwordMatch){
    echo 'valid';
}else{
    echo 'invalid';
}
?>

PHP Password Lib

PHP Password Lib is one of those libraries that isn’t really recommended for production use. As mentioned in their Github page itself, it’s currently in beta and should be used at your own risk.

In order to install PHP Password Lib, you first have to add a minimum-stability option and set it to dev. Also set prefer-stable to true so that composer will default to installing the stable versions of the other libraries that you’re installing via composer.

1
2
"minimum-stability": "dev",
"prefer-stable": true

Can’t really find the library in Packagist so you need to add the following to your composer.json file directly.

1
"PasswordLib/PasswordLib": "*"

Once that’s done, execute composer update to update the dependencies.

To use the library, create a new instance of the PasswordLib class and then use it to call the createPasswordHash method to hash a password.

1
2
3
4
5
<?php
$password = 'mypassword';
$lib = new PasswordLib\PasswordLib();
$hash = $lib->createPasswordHash($password);
?>

Just like the previous libraries it also comes with its own verify function.

1
2
3
4
5
6
7
8
<?php
$is_valid = $lib->verifyPasswordHash($password, $hash);
if($is_valid){
    echo 'yep';
}else{
    echo 'nope';
}
?>

Aside from the generating and verifying hashes, it also allows you to generate random tokens. A sample use case would be when users request for their password to be reset. That’s commonly done by sending an email to the user. That email contains a link with a query parameter on it which has a random string as its value. That string is the token. Which is used for fetching the password reset request that was saved in the database.

1
2
3
4
<?php
$token = $lib->getRandomToken(35);
echo $token; // Mpe/H3oLamOqEV4uxTwu.fuhKpb5p/u4BMu
?>

zxcvbn-php

zxcvbn-php is a library for estimating password strength.

You can install it by executing the following command.

1
composer require bjeavons/zxcvbn-php

To use the library, make use of the ZxcvbnPhp\Zxcvbn namespace.

1
2
3
<?php
use ZxcvbnPhp\Zxcvbn;
?>

You can then determine the password score by calling the passwordStrength method.

1
2
3
4
5
6
<?php
$zxcvbn = new Zxcvbn();
$password = 'mypassword';
$strength = $zxcvbn->passwordStrength($password);
echo $strength['score'];
?>

Based on my testing, it returns 0 if the password is not secure or easy to crack. And return 4 if it is secure. I haven’t found any values between those and there’s nothing higher than 4 so I assume it can only return a score of either 4 or 0. The result contains other data as well. Things like the entropy, calc_time and crack_time.

GenPhrase

Lastly, we’re going to take a look at GenPhrase. This library allows us to generate secure passphrases in PHP.

To install GenPhrase, execute the following on your terminal.

1
composer require genphrase/genphrase

One note about the installation though. It’s also mentioned in their official Github project page. It mentioned that GenPhrase should be obtained only via secure connection using Github. This is because Composer is susceptible to man-in-the-middle attacks. If you’re just testing, it’s fine to install this library via composer. But if you’re following this tutorial to implement this library on a production server then think again. You’ve been warned.

To use GenPhrase, create a new instance of the Password class under the GenPhrase namespace. Then call the generate method to generate the random passphrase.

1
2
3
4
<?php
$gen = new GenPhrase\Password();
echo $gen->generate(); // Slum treble Boost rack
?>

You can also pass the entropy) as an argument. By default the value is 50. But you can have a value between 26 and 120.

1
2
3
<?php
echo $gen->generate(60); // soviet!Retain8skinny&spoil
?>

Conclusion

That’s it! In this tutorial you’ve learned how to secure passwords in PHP using the Password Compat, phpass, PHP Password Lib, zxcvbn and GenPhrase libraries.

Comments