Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

what is an alternative to password_hash() for (PHP 5 < 5.5.0)?

According to manual: password_hash this function can be used for (PHP 5 >= 5.5.0)

After searching for an alternative way I found this simple function from here: http://www.sitepoint.com/password-hashing-in-php/

function generateHash($password) {
    if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
        $salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);
        return crypt($password, $salt);
    }
}

I can manage my code by using function_exists before using, but My question is about above alternative code if its secure or not, or is there any alternative in older versions of PHP?

like image 524
Mark Avatar asked Sep 30 '13 20:09

Mark


People also ask

What is password_hash PHP?

password_hash() creates a new password hash using a strong one-way hashing algorithm. The following algorithms are currently supported: PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5. 0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP.

How secure is password_hash PHP?

The result hash from password_hash() is secure because: It uses a strong hashing algorithm. It adds a random salt to prevent rainbow tables and dictionary attacks.

Can you decrypt password_hash?

Decryption of the password: To decrypt a password hash and retrieve the original string, we use the password_verify() function. The password_verify() function verifies that the given hash matches the given password, generated by the password_hash() function.

How does bcrypt PHP work?

The bcrypt is a password hashing technique used to build password security. It is used to protect the password from hacking attacks because of the password is stored in bcrypted format. The password_hash() function in PHP is an inbuilt function which is used to create a new password hash.


2 Answers

For PHP versions < 5.3.7, I'd recommend:

http://www.openwall.com/phpass/

For PHP versions >= 5.3.7, use:

https://github.com/ircmaxell/password_compat

Generating your own salts takes a lot of know how, because a good, proper salt requires a lot of entropy. Generating this salt in PHP is troublesome, which is why you usually end up depending on other resources to provide this string for you, such as /dev/urandom or openssl_random_pseudo_bytes. Believe me, this isn't something you want to try yourself without serious research and consideration.

Using the new password_* API is recommended, but it can be problematic if you need to support older versions of PHP, which is where PHPass comes in. Gotta hate those $1 per month hosting plans with PHP 5.2

like image 189
Mark Avatar answered Oct 05 '22 12:10

Mark


For versions of PHP > 5.3.7 but prior to 5.5.0, you can find an implementation of password_hash at https://github.com/ircmaxell/password_compat written by the same person that developed the version now implemented in PHP 5.5.0+ and deliberately intended to provide backward compatibility

like image 21
Mark Baker Avatar answered Oct 05 '22 11:10

Mark Baker