Zend Framework 2
Zend Framework 2 ships with the Zend\Crypt
component, which can be used to generate secure password hashes.
Installation
To use it, first install Zend\Crypt
via composer:
composer require "zendframework/zend-crypt:2.*"
Usage
Whenever you want to generate a new password, just create a new Bcrypt
instance as following:
use Zend\Crypt\Password\Bcrypt;
require_once __DIR__ . '/vendor/autoload.php';
$bcrypt = new Bcrypt();
$secureHash = $bcrypt->create($clearTextPassword);
Verifying a password
Verifying a password is also done via the Bcrypt
instance:
if ($bcrypt->verify($clearTextPassword, $secureHash)) {
echo "Password matches!";
} else {
echo "Password does NOT match!";
}
Authenticating a user against a database
Please note that you should always authenticate your users against a database by first fetching the identity by identifier or username, and only then verifying the user against the given password:
$user = $usersGateway->select(['username' => $inputUsername]);
if ($user && $bcrypt->verify($inputPassword, $user->getPasswordHash())) {
// valid login, may store user identity into session here
}
Increasing hash strength
If you want to generate stronger hashes, you may increase the cost
of your Bcrypt
hash. The current default value is 10
, but as computers get faster, slower hashes may be needed:
$bcrypt = new Bcrypt(['cost' => 16]);
$secureHash = $bcrypt->create($clearTextPassword);
Integration with Zend\Mvc
Authentication and security are hard: if you use the full-stack ZF2 framework, then you can just plug the ZfcUser
module into your applications. Using ZfcUser instead of your own homebrew authentication system will give you the advantage of always having an the latest known security vulnerabilities fixed for you by experienced community members.