C:/drupal/includes/password.inc File Reference

Go to the source code of this file.


Enumerations

enum  DRUPAL_HASH_COUNT
enum  DRUPAL_MIN_HASH_COUNT
enum  DRUPAL_MAX_HASH_COUNT

Functions

 _password_itoa64 ()
 _password_base64_encode ($input, $count)
 _password_generate_salt ($count_log2)
 _password_crypt ($password, $setting)
 _password_get_count_log2 ($setting)
 user_hash_password ($password, $count_log2=0)
 user_check_password ($password, $account)
 user_needs_new_hash ($account)


Detailed Description

Secure password hashing functions for user authentication.

Based on the Portable PHP password hashing framework.

See also:
An alternative or custom version of this password hashing API may be used by setting the variable password_inc to the name of the PHP file containing replacement user_hash_password(), user_check_password(), and user_needs_new_hash() functions.

Definition in file password.inc.


Enumeration Type Documentation

The standard log2 number of iterations for password stretching. This should increase by 1 at least every other Drupal version in order to counteract increases in the speed and power of computers available to crack the hashes.

Definition at line 22 of file password.inc.

The maximum allowed log2 number of iterations for password stretching.

Definition at line 32 of file password.inc.

The minimum allowed log2 number of iterations for password stretching.

Definition at line 27 of file password.inc.


Function Documentation

_password_base64_encode ( input,
count 
)

Encode bytes into printable base 64 using the *nix standard from crypt().

Parameters:
$input The string containing bytes to encode.
$count The number of characters (bytes) to encode.
Returns:
Encoded string

Definition at line 52 of file password.inc.

References $output, $value, and _password_itoa64().

Referenced by _password_crypt(), and _password_generate_salt().

Here is the call graph for this function:

_password_crypt ( password,
setting 
)

Hash a password using a secure stretched hash.

By using a salt and repeated hashing the password is "stretched". Its security is increased because it becomes much more computationally costly for an attacker to try to break the hash by brute-force computation of the hashes of a large number of plain-text words or strings to find a match.

Parameters:
$password The plain-text password to hash.
$setting An existing hash or the output of _password_generate_salt().
Returns:
A string containing the hashed password (and salt) or FALSE on failure.

Definition at line 124 of file password.inc.

References $output, _password_base64_encode(), and _password_get_count_log2().

Referenced by user_check_password(), and user_hash_password().

Here is the call graph for this function:

_password_generate_salt ( count_log2  ) 

Generates a random base 64-encoded salt prefixed with settings for the hash.

Proper use of salts may defeat a number of attacks, including:

  • The ability to try candidate passwords against multiple hashes at once.
  • The ability to use pre-hashed lists of candidate passwords.
  • The ability to determine whether two users have the same (or different) password without actually having to guess one of the passwords.

Parameters:
$count_log2 Integer that determines the number of iterations used in the hashing process. A larger value is more secure, but takes more time to complete.
Returns:
A 12 character string containing the iteration count and a random salt.

Definition at line 95 of file password.inc.

References $output, _password_base64_encode(), _password_itoa64(), and drupal_random_bytes().

Referenced by user_hash_password().

Here is the call graph for this function:

_password_get_count_log2 ( setting  ) 

Parse the log2 iteration count from a stored hash or setting string.

Definition at line 163 of file password.inc.

References _password_itoa64().

Referenced by _password_crypt(), and user_needs_new_hash().

Here is the call graph for this function:

_password_itoa64 (  ) 

Returns a string for mapping an int to the corresponding base 64 character.

Definition at line 37 of file password.inc.

Referenced by _password_base64_encode(), _password_generate_salt(), and _password_get_count_log2().

user_check_password ( password,
account 
)

Check whether a plain text password matches a stored hashed password.

Alternative implementations of this function may use other data in the $account object, for example the uid to look up the hash in a custom table or remote database.

Parameters:
$password A plain-text password
$account A user object with at least the fields from the {users} table.
Returns:
TRUE or FALSE.

Definition at line 203 of file password.inc.

References _password_crypt().

Here is the call graph for this function:

user_hash_password ( password,
count_log2 = 0 
)

Hash a password using a secure hash.

Parameters:
$password A plain-text password.
$count_log2 Optional integer to specify the iteration count. Generally used only during mass operations where a value less than the default is needed for speed.
Returns:
A string containing the hashed password (and a salt), or FALSE on failure.

Definition at line 180 of file password.inc.

References _password_crypt(), _password_generate_salt(), and variable_get().

Here is the call graph for this function:

user_needs_new_hash ( account  ) 

Check whether a user's hashed password needs to be replaced with a new hash.

This is typically called during the login process when the plain text password is available. A new hash is needed when the desired iteration count has changed through a change in the variable password_count_log2 or DRUPAL_HASH_COUNT or if the user's password hash was generated in an update like user_update_7000().

Alternative implementations of this function might use other criteria based on the fields in $account.

Parameters:
$account A user object with at least the fields from the {users} table.
Returns:
TRUE or FALSE.

Definition at line 235 of file password.inc.

References _password_get_count_log2(), and variable_get().

Here is the call graph for this function:


Generated on Mon Jun 2 15:08:07 2008 for SimpleTest by  1.5.5