Which implementation of bcrypt is recommended for PHP 5.3?

Question

OK, I finally understand bcrypt, how it works, and how to store it in the DB, so I'm almost good to go. The problem now is picking which implementation of bcrypt to use with PHP 5.3.

I'm going crazy looking at all the different solutions, and I'm not sure which one is the most recommended and safest to use, so I'm once again turning to you guys.

Here are the ones I've found:

1) https://gist.github.com/marcoarment/1053158

2) http://www.openwall.com/phpass/

3) https://stackoverflow.com/a/6337021/869849

4) ...something else?

Are these interchangeable, or do they produce different hashes? I would like to think that since they are all "bcrypt", they would yield the same results, but I'm not sure (I tested 1) and 2) above and they seem to be interchangeable since the hash produced by 1) checked out on 2)).

So which is the recommended solution for PHP 5.3?

Answer 1

Best solution: you should use the password library that is being built-in for PHP 5.5. They've released a backward-compatibility version for PHP 5.3 and 5.4 called password_compat. However note that you'll need 5.3.7 or higher. There was a security issue with bcrypt prior to 5.3.7 which means that the new library won't work.

If you are on a version prior to 5.3.7, then the next best option is Password Lib by the same author. But I'd suggest upgrading PHP instead would be the better option.

Installing

Both libraries can be installed simply by downloading them, copying them to your site folder, and including their main file in your code - ie require('password.php');.

Installing via Composer is also an option if you are using it.

Usage (Assuming you're going with password_compat):

To create a password:

$hash = password_hash($password, PASSWORD_BCRYPT);

To verify a password:

if (password_verify($password, $hash)) {
    /* Valid */
} else {
    /* Invalid */
}

And that's basically all you need to know. The library handles all the other details for you like salting the password, etc.

[EDIT] If you need to change the algorithm 'cost', as per your comment, then add an additional parameter to the password_hash() call to specify it, like this:

password_hash($password, PASSWORD_BCRYPT, array("cost" => 11));

Full documentation is available on the download page I linked above.

The really good thing about using the password_compat library is that it is specifically designed to have the same API and functionality that is being built into PHP as standard in PHP 5.5. Therefore, if you use password_compat while you're on PHP 5.3 or 5.4, when you move to PHP 5.5 you'll already have the right code to in your system to use the new built-in password functions. The only difference will be that you won't need to include the library.

Answer 2

if you are try to update to PHP 5.5 please review this before migration this manual has very interesting points that should be read prior to upgrading

There are changes from 5.3 to 5.4 and the release notes's backward incompatibility page

http://php.net/manual/en/migration54.incompatible.php