hash_pbkdf2 vs password_hash PHP functions

Question

As PHP 5.5.0 is out now,

1. Which one is better to use (security, portability, future proof)?

2. It says the password_hash() PASSWORD_DEFAULT may change in each full release (+1.0 or +0.1) so how can we use previously DEFAULT method hashed password with new default? does that mean PHP 5.5 scripts with already hashed passwords in database will not work on PHP 5.6 until users change their passwords? what about COST change (i'm trying to know if servers can be updated to php v5.6, or website admin may change the hosting provider (and then change COST for weaker/stronger servers), without any problem for current users)

3. Should we wait for some updates or are they already safe to use in 5.5.0

4. Should we still use PHPass etc frameworks or these new PHP 5.5 functions are enough and/or more future proof?

Answer 1

1. The password hashing functions (such as password_hash) are preferred, as they automate more of the process, such as picking a salt, verifying passwords, and rehashing.

2. The password_verify function will automatically detect what algorithm was used to generate a hash, so there's no compatibility issue.

3. These functions are in a released version of PHP, so they should be fine to use.

4. Use PHPass or a shim such as password_compat if your code needs to run on versions of PHP earlier than 5.5. Otherwise, use the password hashing functions.