This course will be retired on June 1, 2025.

Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

PHP User Authentication

Preview

Start a free Courses trial
to watch this video

Sign up for Treehouse

Securing Passwords

5:38 with Alena Holligan and Brian Retterer

There are many ways a user can secure their passwords when storing them in a database, however bcrypt is the defacto standard.

Documentation

password_hash() - PASSWORD_DEFAULT currently defaults to PASSWORD_BCRYPT and is used to create new password hashes using the CRYPT_BLOWFISH algorithm.

This will always result in a hash using the "$2y$" crypt format, which is always 60 characters wide.

Supported Options:

  • salt - to manually provide a salt to use when hashing the password. Note that this will override and prevent a salt from being automatically generated. If omitted, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation.
  • cost - which denotes the algorithmic cost that should be used. Examples of these values can be found on the crypt() page. If omitted, a default value of 10 will be used. This is a good baseline cost, but you may want to consider increasing it depending on your hardware.

More about the Modular Crypt Format (MCF)

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

    Related Discussions

    Have questions about this video? Start a discussion with the community and Treehouse staff.

    Sign up

    It's now time to create the user, since all our checks have passed. 0:00
    We do however need to work with our password a little bit. 0:04
    PHP has a nice feature that we can use for password hashing and for verification. 0:08
    We'll be using password hash to actually create 0:14
    the password we store in the database. 0:17
    This method will create a single direction hash, 0:19
    meaning this hash cannot be reversed to see the plain text password. 0:23
    The password hash function, takes in some properties. 0:28
    The first property is the Plain text password. 0:31
    The next property defines what algorithm you want to use. 0:35
    I suggest that you leave this as password default since PHP will update 0:39
    to a new default for you if the better algorithm exists or is created. 0:44
    Currently the algorithm that is used is B crypt, 0:50
    which will produce a modular crypt format password. 0:53
    The final property is an array of options. 0:56
    We'll be using all the default options for this project, but 1:00
    to learn more, you can find information in the notes. 1:03
    Let's take a quick look at what a password in modular crypt format looks like. 1:07
    [SOUND] The first part states that this is a B crypt hash in Modular Crypt Format. 1:12
    Modular Crypt Format or MCF is a standard for encoding password hash strings, 1:17
    other options the password may start with are 2A or 2B. 1:24
    The next part of the hash is the cost. 1:29
    This defines how many iteration is over the hashing you want. 1:32
    This iteration count will be two to the exponent of cost value. 1:36
    Typically, this cost is ten and that's fine. 1:40
    But if your computer hardware can handle more you can increase this value. 1:43
    Third in the string is the saw that is used for hashing. 1:48
    The last part of the string is the resulting hash. 1:52
    The plain text of the user password is never stored. 1:55
    Once you put all that together, you will receive a 60 character string that 1:59
    you can safely store in your database. 2:04
    Now with our understanding of password hash, 2:06
    we can hash our password for use in our database. 2:09
    Inside our do register procedure. 2:13
    We're going to add $hashed = password_hash, 2:15
    we'lll pass password, and 2:24
    then PASSWORD_DEFAULT. 2:29
    Next, let's add a new function called createUser. 2:34
    We'll need the email and the password. 2:48
    Again start with global $db, And our try to catch block. 2:55
    And we'll throw our exception. 3:16
    For our query, we're going to INSERT INTO USERS. 3:22
    Email, password, and role_id. 3:29
    We'll be using a role ID of two for general users and a role ID of one for 3:35
    administrators. 3:40
    There will be more on this coming up when we talk about authorization. 3:41
    For our values, 3:46
    we'll use email, 3:50
    password and 2. 3:54
    Prepare our query. 4:06
    And bind the values 4:11
    Then we execute. 4:39
    And we'll return findUserByEmail and 4:42
    pass the email. 4:48
    This function will now return the user if the user was created. 4:51
    Let's use this function in our procedure. 4:55
    $user = createUser($email, 5:02
    $hashed);. 5:08
    We'll make use of this user after we handle our login. 5:11
    For now, we'll just redirect the user back to the home page, 5:15
    redirect back to the home page. 5:20
    Let's go back to the browser and register a user. 5:23

    You need to sign up for Treehouse in order to download course files.

    Sign up

      You need to sign up for Treehouse in order to set up Workspace

      Sign up