I am working on a script and need to save passwords. For development purposes, I have been using the crypt()
function because it was easy and available. Now that I am mostly done, I want to replace it with something a little better and more consistent.
Some of the concerns I have are:
I want something that works with PHP 4.3+.
Is there anything available, or should I stick with crypt()
? I thought about using md5(md5($password).$salt)
. Thanks for the insight.
There is nothing wrong with crypt
If your server does not support it, use another server.
You should NEVER use MD5 for hashing passwords (or even SHA1 for that matter)
Use either bcrypt (the blowfish method of crypt
) or pbkdf2
There is an implementation of pbkdf2 here: Encrypting Passwords with PHP for Storage Using the RSA PBKDF2 Standard
More information on why and how here:
First of all: Prepending the salt is not a security problem. Having a per-password salt is a big goodie, and it's perfectly OK to it being store alongside the pw.
Now: As long as you don't transport password hashes from one system to another, and the latter not supporting the default algorithm of the first, nothing bad will happen by definition. Since PHP 5.3 there are built-in algorithms in PHP such as Blowfish, that are guaranteed to be available.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With