{"id":13622908,"url":"https://github.com/ircmaxell/PHP-PasswordLib","last_synced_at":"2025-04-15T10:31:52.166Z","repository":{"id":2277974,"uuid":"3234956","full_name":"ircmaxell/PHP-PasswordLib","owner":"ircmaxell","description":"A library for generating and validating passwords","archived":false,"fork":false,"pushed_at":"2017-10-30T10:31:28.000Z","size":1349,"stargazers_count":373,"open_issues_count":11,"forks_count":61,"subscribers_count":29,"default_branch":"master","last_synced_at":"2024-11-25T10:31:16.351Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ircmaxell.png","metadata":{"files":{"readme":"README.markdown","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2012-01-21T17:26:34.000Z","updated_at":"2024-04-18T09:46:24.000Z","dependencies_parsed_at":"2022-07-19T15:04:06.721Z","dependency_job_id":null,"html_url":"https://github.com/ircmaxell/PHP-PasswordLib","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ircmaxell%2FPHP-PasswordLib","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ircmaxell%2FPHP-PasswordLib/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ircmaxell%2FPHP-PasswordLib/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ircmaxell%2FPHP-PasswordLib/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ircmaxell","download_url":"https://codeload.github.com/ircmaxell/PHP-PasswordLib/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249051656,"owners_count":21204862,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T21:01:25.599Z","updated_at":"2025-04-15T10:31:51.828Z","avatar_url":"https://github.com/ircmaxell.png","language":"PHP","readme":"# PHP-PasswordLib\n\n## Build Status\n\n[![Build Status](https://travis-ci.org/ircmaxell/PHP-PasswordLib.png?branch=master)](https://travis-ci.org/ircmaxell/PHP-PasswordLib)\n\n## Version\n\nThe current version is considered Beta. This means that it is *ready enough* to test and use, but beware that you should update frequently.\n\nAs this software is **BETA**, **Use at your own risk**!\n\n# About\n\nPHP-PasswordLib aims to be an all-inclusive cryptographic library for all cryptographic needs. It is meant to be easy to install and use, yet extensible and powerful enough for even the most experienced developer.\n\n# Installation\n\nPasswordLib supports multiple installation methods.\n\n## PHAR\n\nFrom the [downloads](https://github.com/ircmaxell/PHP-PasswordLib/downloads) tab, download the latest phar build. Then, just require the phar in your code!\n\n require_once '/path/to/PasswordLib.phar';\n\n## Composer\n\nAdd a `composer.json` file to your project with the following:\n\n {\n \"require\": {\n \"PasswordLib/PasswordLib\": \"*\"\n }\n }\n\nThen, inside that folder, just run `php composer.phar install`. \n\nThen, in your code, just use the composer autoloader:\n\n require_once 'vendor/.composer/autoload.php';\n\nThat's it!\n\n# Usage\n\nMost use-cases can simply use the root `PasswordLib` class.\n\n $lib = new PasswordLib\\PasswordLib();\n $hash = $lib-\u003ecreatePasswordHash($password);\n $boolean = $lib-\u003everifyPasswordHash($password, $hash);\n\nBy default, `createPasswordHash` will create a blowfish hash, which is the most secure available. To create other types, just pass the prefix of the type as a second parameter.\n\nSo, to create a drupal hash:\n\n $hash = $lib-\u003ecreatePasswordHash($password, '$S$');\n\nOr to create a SHA512 hash:\n\n $hash = $lib-\u003ecreatePasswordHash($password, '$6$');\n\nIt will automatically create a secure salt, and generate the hash.\n\nYou can also specify options for the hash. So to use a bcrypt cost of 12,\n\n $hash = $lib-\u003ecreatePasswordHash($password, '$2a$', array('cost' =\u003e 12));\n\n`verifyPasswordHash` will attempt to determine what type of hash is passed in. So one API call can verify multiple types of hashes. This allows for applications to be portable and authenticate against multiple databases with one API.\n\nThe `PasswordLib` class has other API methods for getting random data. Two of particular use are `getRandomNumber` and `getRandomToken`. \n\n - `getRandomNumber([$min] [, $max]` - gets a secure random integer between the given parameters.\n\n - `getRandomToken($size)` returns a random string using base64 characters (`a-zA-Z0-9./`). This is useful for generating nonce's and tokens to send to clients.\n\nThe library also contains other methods for generating random data and hashing data, so look around!\n\n\n## Design Goals\n\n - **100% Portable**\n\n That means there are no hard (meaning required) dependencies on extensions or non-standard server configurations. Certain configurations will have better performance for certain features, but all configurations should be supported.\n\n - **Well Designed**\n\n The code will use industry standard design patterns as well as follow guidelines for clean and testable code.\n\n - **Well Tested**\n\n That means that the code should be well covered by unit tests. In addition to unit tests, standard test vectors should be run for custom implementations of algorithms to ensure proper behavior.\n\n - **Easy To Install**\n\n PHP-PasswordLib will support three install methods. The first method is a pear based installer. The second is a single file PHAR archive. The third is support via Composer.\n\n - **Easy To Use**\n\n One goal of this system is to provide a simple interface which has secure defaults for standard cryptographic needs (Random token generation, password hashing and verifying, etc). If more power is needed, additional layers of abstraction are available to wire together however is needed.\n\n - **Easy To Extend**\n\n The library should be very easy to extend and add new functionality.\n\n# Features\n\n## Optional Autoloading\n\nIf you include PasswordLib via a PHAR package, it will automatically autoload all of the classes for you, no extra step necessary. Simply:\n\n require 'path/to/PasswordLib.phar';\n\nIf you include PasswordLib via a filesystem install, you can use the internal autoloader by either loading the bootstrap.php file, or loading the PasswordLib.php file\n\n require_once 'path/to/PasswordLib/bootstrap.php\n\nor\n\n require_once 'path/to/PasswordLib/PasswordLib.php\n\nYou can also use any [PSR-0] [3] autoloader. PasswordLib will automatically detect if an autoloader is setup for its namespace, and will not declare its own if it finds one (it does this by testing if the class PasswordLib\\Core\\AutoLoader can be found. If so, that means that an autoloader was declared already. If not, it loads the core implementation).\n\n $classLoader = new SplClassLoader('PasswordLib', 'path/to/');\n $classLoader-\u003eregister();\n\nNote that the path you supply is the directory which contains the *PasswordLib* directory. Not the PasswordLib directory itself.\n\n## Secure Random Number/String Generation\n\nPHP-PasswordLib implements a method specified in [RFC 4086 - Randomness Requirements for Security] [2]. Basically, it generates randomness from a number of pseudo random sources, and \"mixes\" them together to get better quality random data out. When you specify the \"strength\" of random generator, you are actually telling the system which sources you would like to use. The higher the strength, the slower and potentially more fragile the source it will use.\n\nThe mixing function is also dependent upon the strength required. For non-cryptographic numbers, a simple XOR mixing function is used (for speed). As strength requirements increase, it will use a SHA512 based mixing function, then a DES based mixing function and finally an AES-128 based mixing function at \"High\" strength.\n\nAnd all of this is hidden behind a simple API.\n\nTo generate user-readable strings, you can use the PasswordLib class (which generates medium strength numbers by default):\n\n $crypt = new PasswordLib\\PasswordLib;\n $token = $crypt-\u003egetRandomToken(16);\n\nOr you can use the core generator to get more control:\n\n $factory = new PasswordLib\\Random\\Factory;\n $generator = $factory-\u003egetHighStrengthGenerator();\n $token = $generator-\u003egenerateString(16);\n\nTo generate salts, simple use PasswordLib::getRandomString() or Generator::generate()\n\n## Password Hashing And Validation\n\nA number of password hashing algorithms are supported. When creating a new hash, the algorithm is chosen via a prefix (a CRYPT() style prefix). The library will do the rest (salt generation, etc):\n\n $crypt = new PasswordLib\\PasswordLib;\n $hash = $crypt-\u003ecreatePasswordHash($password, '$2a$'); // Blowfish\n $hash = $crypt-\u003ecreatePasswordHash($password, '$S$'); // Drupal\n\nWhen validating password hashes, where possible, the library will actually auto-detect the algorithm used from the format and verify. That means it's as simple as:\n\n $crypt = new PasswordLib\\PasswordLib;\n if (!$crypt-\u003everifyPasswordHash($password, $hash)) {\n //Invalid Password!\n }\n\nYou can bypass the auto-detection and manually verify:\n\n $hasher = new PasswordLib\\Password\\Implementation\\Joomla;\n $hash = $hasher-\u003ecreate($password);\n if (!$hasher-\u003everify($password, $hash)) {\n //Invalid Hash!\n }\n\n# Specifications\n\n - Supported Password Storage Functions\n - **APR1** - Apache's internal password function\n - **Blowfish** - BCrypt\n - **Crypt** - Crypt DES hashing\n - **Drupal** - Drupal's SHA512 based algorithm\n - **Hash** - Raw md5, sha1, sha256 and sha512 detected by length\n - **Joomla** - Joomla's MD5 based algorithm\n - **Crypt MD5** - Support for Crypt's MD5 algorithm\n - **PBKDF** - A PBKDF implementation (which supports any supported password based key derivation)\n - **PHPASS** - An implementation of the portable hash from the PHPASS library\n - **PHPBB** - PHPBB's MD5 based algorithm\n - **Crypt SHA256** - Crypt's SHA256 algorithm\n - **Crypt SHA512** - Crypt's SHA512 algorithm\n\n - Supported Random Number Sources\n - **CAPICOM** - A COM object method call available on Windows systems\n - **MTRand** - Generation based upon the mt_rand() functions\n - **MicroTime** - A low entropy source based upon the server's microtime\n - **Rand** - A low entropy source based upon rand()\n - **URandom** - Generation from the system's /dev/urandom source\n - **UniqID** - A low entropy source based upon uniqid()\n\n# Library Dependencies:\n\nThe only dependency PHP-PasswordLib has to use as a library is the PHP version. It is made to be completely indepedent of extensions, implementing functionality natively where possible.\n\n## Required\n\n - PHP \u003e= 5.3.2\n\n## Optional\n\n - [MCrypt] [1] Support Compiled In\n\n\n# Build (Testing) Dependencies:\n\nThese dependencies are necessary to build the project for your environment (including running unit tests, packaging and code-quality checks)\n\n## Pear Dependencies\n\n - PDepend Channel (pear.pdepend.org)\n - pdepend/PHP_Depend \u003e= 0.10.0\n\n - Phing Channel (pear.phing.info)\n - phing/Phing \u003e= 2.4.0\n\n - PHPMD Channel (pear.phpmd.org)\n - phpmd/PHP_PMD \u003e= 1.1.0\n\n\n - PHPUnit Channel (pear.phpunit.de)\n - phpunit/PHPUnit \u003e=3.5.0\n - phpunit/PHP_CodeBrowser \u003e= 1.0.0\n - phpunit/phpcpd \u003e= 1.3.0\n - phpunit/phploc \u003e= 1.6.0\n\n - PHP-Tools Channel (pear.php-tools.net)\n - pat/vfsStream \u003e= 0.8.0\n\n - Default Pear Channel\n - pear/PHP_CodeSniffer \u003e= 1.3.0\n - pear/PHP_UML \u003e= 1.5.0\n\nNote: You can install all of them with the following commands:\n\n pear channel-discover pear.pdepend.org\n pear channel-discover pear.phing.info\n pear channel-discover pear.phpmd.org\n pear channel-discover pear.phpunit.de\n pear channel-discover pear.php-tools.net\n pear channel-discover components.ez.no\n pear channel-discover pear.symfony-project.com\n\n pear install pdepend/PHP_Depend\n pear install phpmd/PHP_PMD\n pear install pat/vfsStream\n pear install PHP_CodeSniffer\n pear install PHP_UML\n pear install phpunit/PHPUnit\n pear install phpunit/PHP_CodeBrowser\n pear install phpunit/phpcpd\n pear install phpunit/phploc\n pear install phing/Phing\n\n\n## PHP Dependencies\n\n - PHP \u003e= 5.3.2\n - `php.ini` Settings:\n - `phar.readonly = Off`\n\n - PHP Extensions\n - XDebug\n - MCrypt\n - Hash (usually enabled)\n - Phar\n - Zip (For Packaging)\n - BZ2 (For Packaging)\n - XSL (For Documentation)\n\n [1]: http://us.php.net/manual/en/book.mcrypt.php \"MCrypt Book\"\n [2]: http://www.ietf.org/rfc/rfc4086.txt \"RFC 4086 - Randomness Requirements for Security\"\n [3]: http://groups.google.com/group/php-standards/web/psr-0-final-proposal \"PSR-0 Autoloading Final Proposal\"\n\n\nSecurity Vulnerabilities\n========================\n\nIf you have found a security issue, please contact the author directly at [me@ircmaxell.com](mailto:me@ircmaxell.com).\n","funding_links":[],"categories":["密码","目录","Table of Contents","PHP","密码 Passwords","Security","Passwords","密码( Passwords )"],"sub_categories":["密码 Passwords","Passwords"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fircmaxell%2FPHP-PasswordLib","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fircmaxell%2FPHP-PasswordLib","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fircmaxell%2FPHP-PasswordLib/lists"}