PHP Classes

PHP Password Lock: Hash and encrypt passwords with Bcrypt and SHA2

Recommend this page to a friend!
  Info   Documentation   View files Files   Install with Composer Install with Composer   Download Download   Reputation   Support forum   Blog    
Ratings Unique User Downloads Download Rankings
Not yet rated by the usersTotal: 93 All time: 9,900 This week: 571Up
Version License PHP version Categories
password_lock 1.0.0MIT/X Consortium ...5PHP 5, Cryptography, Security
Description 

Author

This class can hash and encrypt passwords with Bcrypt and SHA2.

It can take a given password string and creates a hash with SHA384 and then encrypts it with Bcrypt.

The class can also take a given password and the previously encrypted password with this class and can decrypt the encrypted version to check if the password is correct by verifying the hashes.

Picture of Scott Arciszewski
  Performance   Level  
Name: Scott Arciszewski <contact>
Classes: 37 packages by
Country: United States United States
Age: ???
All time rank: 1173170 in United States United States
Week rank: 22 Up4 in United States United States Up
Innovation award
Innovation award
Nominee: 28x

Winner: 1x

Documentation

Password Lock

MIT Licensed - feel free to use to enhance the security of any of your PHP projects

Wraps Bcrypt-SHA384 in Authenticated Encryption. Published by Paragon Initiative Enteprises. Check out our other open source projects too.

Depends on defuse/php-encryption for authenticated symmetric-key encryption.

How is this different than "peppering"?

Peppering strategies are usually accomplished through a keyed hash function (e.g. HMAC-SHA256) and applies to the password before it's passed to the salted hash API (i.e. bcrypt). If your pepper/HMAC key is ever compromised, you have to reset every user's password and it becomes a headache.

A hash then encrypt strategy offers agility; if your secret key is compromised (but, miraculously, the hashes are not), you can decrypt all of your users' hashes then re-encrypt them with a new key and they'll never suffer the inconvenience of an unscheduled password reset.

How much more secure is this than just using bcrypt?

  • You don't have to worry about the 72 character limit for bcrypt
  • You don't have to worry about accidentally creating a null-byte truncation vulnerability
  • If your database gets hacked, and your database is on a separate machine from your webserver, the attacker has to first decrypt the hashes before attempting to crack any of them.

Here's a proof-of-concept for the first two points.

But realistically, this library is only about as a secure as bcrypt.

Usage Examples

Hash Password, Encrypt Hash, Authenticate Ciphertext

use \ParagonIE\PasswordLock\PasswordLock;
use \Defuse\Crypto\Key;

$key = Key::createNewRandomKey();
if (isset($_POST['password'])) {
    if (!is_string($_POST['password'])) {
        die("Password must be a string");
    }
    $storeMe = PasswordLock::hashAndEncrypt($_POST['password'], $key);
}

Verify MAC, Decrypt Ciphertext, Verify Password

if (isset($_POST['password'])) {
    if (!is_string($_POST['password'])) {
        die("Password must be a string");
    }
    if (PasswordLock::decryptAndVerify($_POST['password'], $storeMe, $key)) {
        // Success!
    }
}

Re-encrypt a hash with a different encryption key

$newKey = \Defuse\Crypto\Key::createNewRandomKey();
$newHash = PasswordLock::rotateKey($storeMe, $key, $newKey);

Migrate from Version 1 of the library

$newHash = PasswordLock::upgradeFromVersion1(
    $_POST['password'],
    $oldHash,
    $oldKey,
    $newKey
);

Support Contracts

If your company uses this library in their products or services, you may be interested in purchasing a support contract from Paragon Initiative Enterprises.


  Files folder image Files (11)  
File Role Description
Files folder imagesrc (1 file)
Files folder imagetests (1 file)
Accessible without login Plain text file .travis.yml Data Auxiliary data
Accessible without login Plain text file autoload.php Aux. Auxiliary script
Accessible without login Plain text file CHANGELOG.md Data Auxiliary data
Accessible without login Plain text file composer.json Data Auxiliary data
Accessible without login Plain text file LICENSE Lic. License text
Accessible without login Plain text file phpunit.xml.dist Data Auxiliary data
Accessible without login Plain text file psalm.xml Data Auxiliary data
Accessible without login Plain text file README.md Doc. Documentation
Accessible without login Plain text file run-tests.sh Data Auxiliary data

  Files folder image Files (11)  /  src  
File Role Description
  Accessible without login Plain text file PasswordLock.php Class Class source

  Files folder image Files (11)  /  tests  
File Role Description
  Accessible without login Plain text file PasswordLockTest.php Class Class source

The PHP Classes site has supported package installation using the Composer tool since 2013, as you may verify by reading this instructions page.
Install with Composer Install with Composer
 Version Control Unique User Downloads Download Rankings  
 100%
Total:93
This week:0
All time:9,900
This week:571Up