https://github.com/spaze/encrypt-hash-password-php
Example of an encrypted password hash storage in PHP
https://github.com/spaze/encrypt-hash-password-php
Last synced: 2 months ago
JSON representation
Example of an encrypted password hash storage in PHP
- Host: GitHub
- URL: https://github.com/spaze/encrypt-hash-password-php
- Owner: spaze
- License: unlicense
- Created: 2014-06-20T01:11:58.000Z (almost 11 years ago)
- Default Branch: master
- Last Pushed: 2015-05-12T01:28:33.000Z (about 10 years ago)
- Last Synced: 2025-03-23T16:51:25.356Z (3 months ago)
- Language: PHP
- Size: 207 KB
- Stars: 21
- Watchers: 5
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
Hash and encrypt, PHP examples
==============================
Example of an encrypted password hash storage in PHP, uses bcrypt for hashing and AES-128 in CBC mode for encryption. It uses [defuse/php-encryption](https://github.com/defuse/php-encryption) package for crypto operations.
**Do not** encrypt just the passwords, encrypt only password hashes for extra security.
## Usage
- Install [defuse/php-encryption](https://github.com/defuse/php-encryption) via [Composer](https://packagist.org/packages/defuse/php-encryption) first, or at least copy the `Crypto.php` file to your project
- Don't write your own encryption functions
## Key
Generate 128-bit key (in PHP hexdec-chars string) using
- `echo preg_replace('/(..)/', '\x$1', bin2hex(openssl_random_pseudo_bytes(16)));`
- or by running `openssl rand -hex 16 | sed s/\\\(..\\\)/\\\\x\\1/g` in `bash`
The key should be stored in the following format: `"\xf3\x49\xf9\x4a\x0a\xb2 ..."`. Do NOT encode the `$key` with `bin2hex()` or `base64_encode()` or similar, they may leak the key to the attacker through side channels.
## Files
- [`example-encrypthash.php`](example-encrypthash.php) - Encrypted password hash storage, uses bcrypt + AES-128-CBC with PKCS#7 padding and SHA-256 HMAC authentication using *Encrypt-then-MAC* approach
- [`example-hash.php`](example-hash.php) - Password hash storage, uses bcrypt.
- [`functions-encrypthash.php`](functions-encrypthash.php) - Functions used by `example-encrypthash.php`
- [`tests/encrypthash.php`](tests/encrypthash.php) - Tests for encrypted hash functions
- [`tests/hash.php`](tests/hash.php) - Tests for hash functions
## Tests
Simple tests are included, run them with `php tests/hash.php` and `php tests/encrypthash.php`.