I'm working on a basic password system using the password_hash function, and was wondering about the need for the familiar 'Choose a password with uppercase, lowercase, number and symbol' rules.
PHP's password_hash automatically generates a strong random salt, adds it to the password and hashes the result. Then it outputs a final string that has three sections:
- The algorithm used and number of times it encoded the data
- The random salt
- The resulting hash
These sections are concatenated into a single string:
For example a password 'password' is processed as follows:
$password = 'password';
//using password_hash with Blowfish encryption
$hashtext = password_hash($password, PASSWORD_BCRYPT);
//user tries to log in with password $login
//which is hashed with the same encoder and salt as contained in $hashtext
if (password_verify ($login , $hashtext )) {
echo 'Password good';
}else {
echo 'Wrong password';
}
Assume that the $hashtext is stored in a database which later is hacked so that this is read and the encoding type and salt is known. Is the strength of the security now based solely on the strength of the password? ie the hacker sets up a function with the same encoder and salt value and runs through a dictionary of possible passwords until the resultant output is the same as $hashtext, confirming that the dictionary value being checked is the original password.
I assume that the randomness and complexity of the salt alone makes this process probably impractical, but would also making the original password p@55Word really add much to the security?
Yes, I realise that those are terrible choices for passwords!
Any help would be appreciated!
Many thanks, Kw