Menu
I am working on a registration form where I need to encrypt password, I've heard that it is recommended for me to use the Blowfish encryption for passwords, How do you implement a blowfish encryption using PHP crypt() function? also, I am planning to retrieve the password later for logging in.
231
The short answer is use crypt with a salt beginning with the characters $2a$, a two digit cost parameter, $, and 22 digits from the alphabet ./0-9A-Za-z. That only works on systems that support the Blowfish encryption algorithm. However, PHP 5.3 implements it natively. See PHP manual — crypt for more details.
Example:
crypt('rasmuslerdorf', '$2a$07$somesillystringforsalt')
The salt string triggers the appropriate algorithm. The two digit cost parameter is the base-2 logarithm of the iteration count for the underlying Blowfish-based hashing algorithm and must be in range [04 – 31]. In the example 07 tells the algorithm to use 27 or 128 iterations. The higher this number, the longer it will take to execute BUT, in the context of hashing user passwords, that is a GOOD thing.
This answer to a similar question explains in more detail what BCrypt is,how it relates to Blowfish, and why you should use it. There are many other related topics here on Stack Overflow.
phpass is an excellent, easy to use password hashing framework that works on all systems, using Blowfish if it’s supported, and falling back to other algorithms if it’s not.
67
You should never need blowfish to encrypt a password like this. The registration form should be over HTTPS, which will handle defense against an attacker on the wire. The password its self should be hashed (never encrypted). bcrypt is a good password hash function based on blowfish. But there are plenty of posts related to secure password storage on SO.
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
