Exactly how do I use blowfish in PHP?
Solution 1
Take a look at http://php.net/manual/en/function.crypt.php
If you scroll down about 1/3, you should see the heading: Example #3 Using crypt() with different hash types. Hopefully this will help! and your salt should be fine!
Solution 2
In short: don't build it yourself. Use a library.
In PHP 5.5, there will be a new API available to make this process easier on you. Here's the RFC for it.
I've also created a backwards-compatibility library for it here: password-compat:
$hash = password_hash($password, PASSWORD_BCRYPT);
And then to verify:
if (password_verify($password, $hash)) {
/* Valid */
} else {
/* Invalid */
}
And if you want another library, check out phpass
In short, don't do it yourself. There's no need. Just import the library and be done with it...
Comments
-
sharf almost 2 years
Possible Duplicate:
Best way to use PHP to encrypt and decrypt passwords?I've been doing a lot with PHP recently and want to make my first login/registration system. As such I've been doing a lot of reading online to figure out the best method(s) for doing this. I've come across a couple of guides and I'm confused on a few instances and I'd like to be sure before I start down this road.
My question is how exactly do I use blowfish? I've read that crypt() will auto select blowfish if an appropriate salt is provided. If that is the case, What makes a salt blowfish appropriate?
Right now, I have a script that makes a salt out of the date and time, a random number, then hash that for the salt. Is that something I can use with blowfish or not?
-
sharf over 11 yearsI have seen that but I'm still confused. Do I just tack $2a$07$ to the front of my salt (and another $ to the end) to make it use blowfish? Also, what is the 07 in that example, the number of rounds?
-
sharf over 11 yearsI've read that, and will probably use that in the long run, but I like to understand how to do things myself. Thanks for the tip, but it doesn't answer my question.
-
ircmaxell over 11 years@sharf: look at what the libraries do (the compat one should be pretty easy to read). That should give you insight on how it all works...
-
sharf over 11 yearsThat still doesn't answer my question.
-
ircmaxell over 11 yearsA few points: 1. The question is about the password hashing algorithm (see the passwords and crypt tags). 2. You're using ECB. Bad developer, no donut. 3. You're using a static, hard-coded key. Again, bad. 4. You're not storing the IV on encryption, meaning that decrypt will NEVER work (for non-ECB modes)...
-
Ben Duffin over 11 yearshelpful comment - could you rewrite it to suit the conditions you specify please? Although I disagree about the off-question part - the chap wanted to know about how to encrypt with blowfish did he not? Not knowing his code I simply tried to give him a utility to allow him to encrypt and decrypt given data with the blowfish algo. What does non-ECB mode mean as I use quite similar code in some large apps and have had no trouble with it - am i missing something? :S hope not!
-
ABC over 11 yearsYes exactly, with the 07, the higher number, the more rounds and the longer it takes
-
ircmaxell over 11 yearsFirst, no, he was not talking about encryption, he asked about hashing. So it's definitely off-topic. As far as the other issues, it's insecure: One, Two, Three.
-
ircmaxell over 11 yearsAnd if you want more feedback, post it to codereview.stackexchange.com
-
Ronni Skansing about 10 yearsThis is not exactly what the OP asks, but this is the answer the OP needs -
ircmaxell about 10 years@BenDuffin: You actually just proved my point with your comment.
crypt()can do bcrypt. But it is easy to screw up. It is easy to wind up in a situation where you kill security. Which is why I did not recommend actually using it directly, but using a library. Because cryptography is hard, and you shouldn't do it yourself if you have an alternative. And there are alternatives. -
emiliopedrollo over 7 yearsmcrypt will be deprecated on php 7.1 in favor of OpenSSL
