Hướng dẫn dùng php bcrypt trong PHP

Cập nhật ngày 27/12/2021

Trong PHP, muốn sử dụng mã hoá Bcrypt ta sẽ dùng hàm password_hash(). Hàm này thường dùng để mã hoá mật khẩu.

Ngoài mã hoá Bcrypt hàm này còn hỗ trợ mã hoá Argon2i và Argon2id.

password_hash ( string $password , int $algo [, array $options ] ) : string

Trong đó:

• $password: chuỗi cần mã hoá
• $algo: Phương thức mã hoá (mặc định là Bcrypt). (xem thêm)
• $options: mảng tùy chọn (xem thêm)

Kết quả:

Trả về chuỗi mã hoá hoặc FALSE nếu thất bại.

Ví dụ:

 12,
];

echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options);

So sánh 2 chuỗi đã mã hoá?

Đồi khi ta buồn ta chả biết làm gì rồi ngồi vu vơ nghĩ về Bcrypt, khi mà cùng 1 chuỗi nó mã hoá ra nhiều chuỗi mới khác nhau thì làm sao so sánh?

Nhưng không sao, PHP đã cung cấp cho ta 1 hàm giúp làm việc này đó là password_verify().

password_verify ( string $password , string $hash ) : bool

Trong đó:

• $password: chuỗi gốc cần so sánh
• $hash: chuỗi đã má hoá

Kết quả:

TRUE nếu khớp, FALSE nếu không khớp.

Ví dụ:

 
Cập nhật ngày 27/12/2021
Nội dung chính
So sánh 2 chuỗi đã mã hoá?
Face It, Cryptography is hard.
PHP 5.5
API - (Available for 5.3.7+)
Zend\Crypt\Password\Bcrypt (5.3.2+)
PasswordLib
About BCrypt
Trong PHP, muốn sử dụng mã hoá Bcrypt ta sẽ dùng hàm
password_hash(). Hàm này thường dùng để mã hoá mật khẩu.
Ngoài mã hoá Bcrypt hàm này còn hỗ trợ mã hoá Argon2i và Argon2id.
password_hash ( string $password , int $algo [, array $options ] ) : string
Trong đó:
$password: chuỗi cần mã hoá
$algo: Phương thức mã hoá (mặc định là Bcrypt). (xem thêm)
$options: mảng tùy chọn (xem thêm)
Kết quả:
Trả về chuỗi mã hoá hoặc FALSE nếu thất bại.
Ví dụ:
 12,
];

echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options);
So sánh 2 chuỗi đã mã hoá?
Đồi khi ta buồn ta chả biết làm gì rồi ngồi vu vơ nghĩ về Bcrypt, khi mà cùng 1 chuỗi nó mã hoá ra nhiều chuỗi mới khác nhau thì làm sao so sánh?



Nhưng không sao, PHP đã cung cấp cho ta 1 hàm giúp làm việc này đó là password_verify().
password_verify ( string $password , string $hash ) : bool
Trong đó:
$password: chuỗi gốc cần so sánh
$hash: chuỗi đã má hoá
Kết quả:
TRUE nếu khớp, FALSE nếu không
khớp.
Ví dụ:
So, you want to use bcrypt? Awesome! However, like other areas of cryptography, you shouldn't be doing it yourself. If you need to worry about anything like managing keys, or storing salts or generating random numbers, you're doing it wrong.
The reason is simple: it's so trivially easy to screw up bcrypt. In fact, if you look at almost every piece of code on this page, you'll notice that it's violating at least one of these common
problems.
Face It, Cryptography is hard.
Leave it for the experts. Leave it for people whose job it is to maintain these libraries. If you need to make a decision, you're doing it wrong.
Instead, just use a library. Several exist depending on your requirements.
Libraries
Here is a breakdown of some of the more common APIs.
PHP 5.5 API - (Available for 5.3.7+)
Starting in PHP 5.5, a new API
for hashing passwords is being introduced. There is also a shim compatibility library maintained (by me) for 5.3.7+. This has the benefit of being a peer-reviewed and simple to use implementation.
function register($username, $password) {
    $hash = password_hash($password, PASSWORD_BCRYPT);
    save($username, $hash);
}

function login($username, $password) {
    $hash = loadHashByUsername($username);
    if (password_verify($password, $hash)) {
        //login
    } else {
        // failure
    }
}
Really, it's aimed to be extremely simple.



Resources:
Documentation: on PHP.net
Compatibility Library: on GitHub
PHP's RFC: on wiki.php.net
Zend\Crypt\Password\Bcrypt (5.3.2+)
This is another API
that's similar to the PHP 5.5 one, and does a similar purpose. 
function register($username, $password) {
    $bcrypt = new Zend\Crypt\Password\Bcrypt();
    $hash = $bcrypt->create($password);
    save($user, $hash);
}

function login($username, $password) {
    $hash = loadHashByUsername($username);
    $bcrypt = new Zend\Crypt\Password\Bcrypt();
    if ($bcrypt->verify($password, $hash)) {
        //login
    } else {
        // failure
    }
}
Resources:
Documentation: on Zend
Blog Post: Password Hashing With Zend Crypt
PasswordLib
This is a slightly different approach to password hashing. Rather than simply supporting bcrypt, PasswordLib supports a large number of hashing algorithms. It's mainly useful in contexts where you need to support compatibility with legacy and disparate systems that may be
outside of your control. It supports a large number of hashing algorithms. And is supported 5.3.2+
function register($username, $password) {
    $lib = new PasswordLib\PasswordLib();
    $hash = $lib->createPasswordHash($password, '$2y$', array('cost' => 12));
    save($user, $hash);
}

function login($username, $password) {
    $hash = loadHashByUsername($username);
    $lib = new PasswordLib\PasswordLib();
    if ($lib->verifyPasswordHash($password, $hash)) {
        //login
    } else {
        // failure
    }
}
References:
Source Code / Documentation: GitHub
PHPASS
This is a layer that does support bcrypt, but also supports a fairly strong algorithm that's useful if you do not have access to PHP >= 5.3.2... It actually supports PHP 3.0+ (although not with bcrypt).
function register($username, $password) {
    $phpass = new PasswordHash(12, false);
    $hash = $phpass->HashPassword($password);
    save($user, $hash);
}

function login($username, $password) {
    $hash = loadHashByUsername($username);
    $phpass = new PasswordHash(12, false);
    if ($phpass->CheckPassword($password, $hash)) {
        //login
    } else {
        // failure
    }
}
Resources
Code: cvsweb
Project Site: on OpenWall
A
review of the < 5.3.0 algorithm: on StackOverflow
Note: Don't use the PHPASS alternatives that are not hosted on openwall, they are different projects!!!
About BCrypt
If you notice, every one of these libraries returns a single string. That's because of how BCrypt works internally. And there are a TON of answers about that. Here are a selection that I've written, that I won't copy/paste here, but link to:
Fundamental
Difference Between Hashing And Encryption Algorithms - Explaining the terminology and some basic information about them.
About reversing hashes without rainbow tables - Basically why we should use bcrypt in the first place...
Storing bcrypt Hashes - basically why is the salt and algorithm included in the hash result.
How to update the cost of bcrypt hashes - basically how to choose and then maintain the cost of the bcrypt hash.
How to hash long passwords with
bcrypt - explaining the 72 character password limit of bcrypt.
How bcrypt uses salts
Best practices of salting and peppering passwords - Basically, don't use a "pepper"
Migrating old md5 passwords to bcrypt
Wrap Up
There are many different choices. Which you choose is up to you. However, I would HIGHLY recommend that you use one of the above libraries for handling this for you. 
Again, if you're using crypt() directly,
you're probably doing something wrong. If your code is using hash() (or md5() or sha1()) directly, you're almost definitely doing something wrong.
Just use a library...