Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Exactly how do I use blowfish in PHP? [duplicate]

Possible Duplicate:
Best way to use PHP to encrypt and decrypt passwords?

I've been doing a lot with PHP recently and want to make my first login/registration system. As such I've been doing a lot of reading online to figure out the best method(s) for doing this. I've come across a couple of guides and I'm confused on a few instances and I'd like to be sure before I start down this road.

My question is how exactly do I use blowfish? I've read that crypt() will auto select blowfish if an appropriate salt is provided. If that is the case, What makes a salt blowfish appropriate?

Right now, I have a script that makes a salt out of the date and time, a random number, then hash that for the salt. Is that something I can use with blowfish or not?

like image 988
sharf Avatar asked Dec 10 '12 18:12

sharf


2 Answers

In short: don't build it yourself. Use a library.

In PHP 5.5, there will be a new API available to make this process easier on you. Here's the RFC for it.

I've also created a backwards-compatibility library for it here: password-compat:

$hash = password_hash($password, PASSWORD_BCRYPT);

And then to verify:

if (password_verify($password, $hash)) {
    /* Valid */
} else {
    /* Invalid */
}

And if you want another library, check out phpass

In short, don't do it yourself. There's no need. Just import the library and be done with it...

like image 125
ircmaxell Avatar answered Oct 06 '22 20:10

ircmaxell


Take a look at http://php.net/manual/en/function.crypt.php

If you scroll down about 1/3, you should see the heading: Example #3 Using crypt() with different hash types. Hopefully this will help! and your salt should be fine!

like image 23
ABC Avatar answered Oct 06 '22 20:10

ABC