Download the PHP package brenno-duarte/php-secure-password without Composer
On this page you can find all versions of the php package brenno-duarte/php-secure-password. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download brenno-duarte/php-secure-password
More information about brenno-duarte/php-secure-password
Files in brenno-duarte/php-secure-password
Package php-secure-password
Short Description SecurePassword is a PHP component for creating strong passwords using modern encryption.
License MIT
Informations about the package php-secure-password
PHP SecurePassword
SecurePassword is a PHP component for creating strong passwords using modern encryption.
Why use this component?
Unlike just using password_hash
or password_verify
, SecurePassword adds a secret entry (commonly called a pepper) to make it difficult to break the generated hash.
Requirements
PHP >= 8.2
Installing via Composer
How to use
The code below shows an example for creating the hash. The createHash
method generates the password hash along with the "peeper", and the getHash
method returns the generated hash.
Settings
You can change encryption settings without using the methods that will be listed below. To do this, enter the following code in the constructor:
You can use the following encryptions: HashAlgorithm::DEFAULT
, HashAlgorithm::BCRYPT
, HashAlgorithm::ARGON2I
, HashAlgorithm::ARGON2ID
.
Changing the encryption algorithm
NOTE: If you are using the settings passed in the constructor then you can ignore the code below.
You can change the type of algorithm used to generate the hash. It is possible to use PASSWORD_BCRYPT
,PASSWORD_ARGON2I
, PASSWORD_ARGON2ID
and even PASSWORD_DEFAULT
.
useDefault()
will use standard encryptionuseBcrypt()
will use Bcrypt encryptionuseArgon2()
will use Argon2 encryptionuseArgon2(true)
passingtrue
will use Argon2d encryption
If the type of algorithm is not provided, the default encryption will be 'PASSWORD_DEFAULT'.
Returns information about the given hash
To return the information of the created hash, use getHashInfo
method.
Verifies that a password matches a hash
To verify that the hash generated with createHash
is valid, you can use verifyHash
in two ways:
To make timing attacks more difficult, the verifyHash
method waits 0.25 seconds (250000 microseconds) to return the value. You can change this time by changing the third parameter.
NOTE: If you are using the settings passed in the constructor then you can ignore the code below.
You can change the type of algorithm that will be used to check the hash.
Needs Rehash
If the encryption type has been changed, you can generate a new hash with the new encryption. The needsHash()
method checks whether the reported hash needs to be regenerated. Otherwise, it will return false
.
Example 1
Example 2
Adding options
NOTE: If you are using the settings passed in the constructor then you can ignore the code below.
Add options in the useDefault
, useBcrypt
and useArgon2
methods.
- useDefault: default options, use an array.
- useBcrypt: you can change
$cost
. The default is12
. - useArgon2: you can change
$memory_cost
,$time_cost
and$threads
. The default is the constantsPASSWORD_ARGON2_DEFAULT_MEMORY_COST
,PASSWORD_ARGON2_DEFAULT_TIME_COST
andPASSWORD_ARGON2_DEFAULT_THREADS
.
Using OpenSSL and Sodium encryption
Secure Password has the component paragonie/sodium_compat. Therefore, it is not necessary to use the Sodium library in PECL format.
You can use OpenSSL and Sodium encryption using the Encryption
class:
You can decrypt token by calling decrypt method:
You can pass supported adapter to class like:
Use of OpenSSL
Use of Sodium
Default openSSL will use, you can use any one you want.
Changing the secret entry (recommended)
It is recommended to change the secret entry (or pepper) that will be added to your password. Use setPepper
to change.
By default, the setPepper
method uses OpenSSL encryption. However, you can use Sodium encryption if you want.
Getting the ideal encryption cost
Here's a quick little function that will help you determine what cost parameter you should be using for your server to make sure you are within this range.
License
MIT