For Ubuntu NVM (Node Version Manager) works best. Therefore, I will recommend NVM instead of others e.g (n).
Installation and usage is very simple. I will extract the steps from the NVM github repository page.
Run following commands to install nvm:
curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.11/install.sh | bash
Enable the nvm command by running:
source ~/.bashrc
To check proper installation run the following command
command -v nvm
It should output nvm. If correct output is generated then we can install different versions of node using the command:
nvm install v8.11.0
OR
nvm install v8.10.0
Now when a different node version is installed it can be used by using the command:
nvm use 8.10.0
Wednesday, 11 July 2018
Tuesday, 10 July 2018
Securely Hash Passwords with PHP
PHP 5.5+ now comes baked with a
password_hash
function to generate secure, one-way hashes along with a password_verify
function to match a hash with the given password—If you’re a PHP developer, you should always be securely storing user passwords, no excuses.
Developers have a huge responsibility when handling and storing user-sensitive information, such as a password. We should take extra precaution and the necessary steps to make sure the user’s data is safe and secure*.
*Please keep in mind the following implementation is only part of the problem since it handles the data once the web server receives it; however, it does not address the other issue of securely sending the sensitive data over-the-air from the browser to the server, which is why a valid SSL certificate is necessary.
Hashing passwords
To hash a password, take the password string and pass it into
password_hash
the function as a parameter along with the algorithm you want to use, then store the returned hash into the database.password_hash( $password, $algorithm [, $options ] )
$password
string.$algorithm
integer. Supports constantsPASSWORD_BCRYPT
orPASSWORD_DEFAULT
.$options
array.
password_hash
also randomly generates a salt every time a hash is generated and is a part of the returned hash, so there’s no need to store salts in a separate column.
$algorithm
PASSWORD_BCRYPT
uses the CRYPT_BLOWFISH
algorithm and will return a 60 character string.PASSWORD_DEFAULT
uses the bcrypt algorithm. PHP documentation recommends that you set the column size to 255 in the event the algorithm changes over time.
$options
password_hash
supports the following options:salt
- You can manually pass in your own salt, althoughpassword_hash
randomly generates a salt for each password.cost
- The algorithmic cost to be used. Default value is10
.
<?php
$options = array(
'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
'cost' => 12,
);
$password_hash = password_hash($password_string, PASSWORD_BCRYPT, $options);
?>
Here’s a dirty, incomplete example that shows implementation of
password_hash
:<?php
$password_string = mysqli_real_escape_string($_POST["password"]);
// The value of $password_hash
// should similar to the following:
// $2y$10$aHhnT035EnQGbWAd8PfEROs7PJTHmr6rmzE2SvCQWOygSpGwX2rtW
$password_hash = password_hash($password_string, PASSWORD_BCRYPT);
$mysql_query = "INSERT INTO Users (email, password_hash)
VALUES ($email_address, $password_hash)";
mysqli_query($mysql_connection, $mysql_query);
?>
Verifying passwords
When checking passwords, you can use the handy-dandy
password_verify
function, which checks a password string against a password hash, then returns a boolean.password_verify( $password, $hash )
$password
string.$hash
string.
<?php
$password_string = "abc123";
$password_hash = "$2y$10$aHhnT035EnQGbWAd8PfEROs7PJTHmr6rmzE2SvCQWOygSpGwX2rtW";
if (password_verify($password_string, $password_hash)) {
// Correct password
} else {
// Incorrect password
}
?>
PHP 5.3.7+
There’s a very useful library that allows the
password_*
functions to be used on servers running PHP 5.3.7+: https://github.com/ircmaxell/password_compat
If you’re running an even older version of PHP, it’s time to upgrade—older versions of PHP contains a security issue with BCRYPT (More information).
Password hashing functions
You can get a more thorough, in-depth explanation about the password hashing functions right from PHP’s documentation: http://us2.php.net/manual/en/ref.password.php. There are 2 additional functions that I didn’t cover,
password_get_info
and password_needs_rehash
, that you may find userful.
For me, it always helps to know or better understand what’s going on in the background of these functions.
password_verify() returns false for correct password
Hey guys, I've just recently learned about the new hashing functions of PHP5.5+, but unfortunately I'm getting mixed results after I deciding to try them out myself.
Here is the code, nothing else is on the page:
<?php
$password = "Hello";
$hash = password_hash($password, PASSWORD_DEFAULT);
echo $hash;
?>
Whenever I echo this value, and copy it from the page to the function:
<?php
var_dump(password_verify("Hello", "Hash I copied from rendered page));
?>
It returns bool(false).
On the other hand, if I do:
<?php
$password = "Hello";
$hash = password_hash($password, PASSWORD_DEFAULT);
echo $hash;
var_dump(password_verify("Hello", $hash));
?>
It returns true.
Is there some sort of formatting or security measure being applied to the echoed $hash?? I've tried google to no success.
Using password_get_info() on the copied $hash I get the following:
array(3) { ["algo"]=> int(0) ["algoName"]=> string(7) "unknown" ["options"]=> array(0) { } }
Something is clearly being lost here.
Thank you for your time guys.
Subscribe to:
Posts (Atom)