PHP Класс lithium\security\Password

_generateSaltBf() защищенный статический Метод

Generates a Blowfish salt for use in lithium\security\Password::hash(). _Note_: Does not use the 'encode' option of String::random() because it could result in 2 bits less of entropy depending on the last character.

protected static _generateSaltBf ( integer $count = null ) : string
$count	integer	The base-2 logarithm of the iteration count. Defaults to `10`. Can be `4` to `31`.
Результат	string	The Blowfish salt.

_generateSaltMd5() защищенный статический Метод

Generates an MD5 salt for use in lithium\security\Password::hash().

protected static _generateSaltMd5 ( ) : string
Результат	string	The MD5 salt.

_generateSaltXdes() защищенный статический Метод

Generates an Extended DES salt for use in lithium\security\Password::hash().

protected static _generateSaltXdes ( integer $count = null ) : string
$count	integer	The base-2 logarithm of the iteration count. Defaults to `18`. Can be `1` to `24`. 1 will be stripped from the non-log value, e.g. 2^18 - 1, to ensure we don't use a weak DES key.
Результат	string	The XDES salt.

check() публичный статический Метод

Compares a password and its hashed value using PHP's crypt(). Rather than a simple string comparison, this method uses a constant-time algorithm to defend against timing attacks.

public static check ( string $password, string $hash ) : boolean
$password	string	The user-supplied plaintext password to check.
$hash	string	The known hashed password to compare it to.
Результат	boolean	Returns a boolean indicating whether the password is correct.

hash() публичный статический Метод

Using this function is the proper way to hash a password. Using naïve methods such as sha1 or md5, as is done in many web applications, is improper due to the lack of a cryptographically strong salt. Using lithium\security\Password::hash() ensures that: - Two identical passwords will never use the same salt, thus never resulting in the same hash; this prevents a potential attacker from compromising user accounts by using a database of most commonly used passwords. - The salt generator's count iterator can be increased within Lithium or your application as computer hardware becomes faster; this results in slower hash generation, without invalidating existing passwords. Usage: Hash a password before storing it: $hashed = Password::hash($password); Check a password by comparing it to its hashed value: $check = Password::check($password, $hashed); Use a stronger custom salt: $salt = Password::salt('bf', 16); // 2^16 iterations $hashed = Password::hash($password, $salt); // Very slow $check = Password::check($password, $hashed); // Very slow Forward/backward compatibility $salt1 = Password::salt('bf', 6); $salt2 = Password::salt('bf', 12); $hashed1 = Password::hash($password, $salt1); // Fast $hashed2 = Password::hash($password, $salt2); // Slow $check1 = Password::check($password, $hashed1); // True $check2 = Password::check($password, $hashed2); // True

public static hash ( string $password, string $salt = null ) : string
$password	string	The password to hash.
$salt	string	Optional. The salt string.
Результат	string	The hashed password. The result's length will be: - 60 chars long for Blowfish hashes - 20 chars long for XDES hashes - 34 chars long for MD5 hashes

salt() публичный статический Метод

Blowfish and XDES are adaptive hashing algorithms. MD5 is not. Adaptive hashing algorithms are designed in such a way that when computers get faster, you can tune the algorithm to be slower by increasing the number of hash iterations, without introducing incompatibility with existing passwords. To pick an appropriate iteration count for adaptive algorithms, consider that the original DES crypt was designed to have the speed of 4 hashes per second on the hardware of that time. Slower than 4 hashes per second would probably dampen usability. Faster than 100 hashes per second is probably too fast. The defaults generate about 10 hashes per second using a dual-core 2.2GHz CPU. _Note 1_: this salt generator is different from naive salt implementations (e.g. md5(microtime())) in that it uses all of the available bits of entropy for the supplied salt method. _Note2_: this method should not be use to generate custom salts. Indeed, the resulting salts are prefixed with information expected by PHP's crypt(). To get an arbitrarily long, cryptographically strong salt consisting in random sequences of alpha numeric characters, use lithium\util\String::random() instead.

public static salt ( string $type = null, integer $count = null ) : string
$type	string	The hash type. Optional. Defaults to the best available option. Supported values, along with their maximum password lengths, include: - `'bf'`: Blowfish (128 salt bits, max 72 chars) - `'xdes'`: XDES (24 salt bits, max 8 chars) - `'md5'`: MD5 (48 salt bits, unlimited length)
$count	integer	Optional. The base-2 logarithm of the iteration count, for adaptive algorithms. Defaults to: - `10` for Blowfish - `18` for XDES
Результат	string	The salt string.