Login/Register
Exactly how do I use blowfish in PHP? [duplicate]
Asked Answered
Solved phphashpasswordsblowfishcrypt
S

2

9

Possible Duplicate:
Best way to use PHP to encrypt and decrypt passwords?

I've been doing a lot with PHP recently and want to make my first login/registration system. As such I've been doing a lot of reading online to figure out the best method(s) for doing this. I've come across a couple of guides and I'm confused on a few instances and I'd like to be sure before I start down this road.

My question is how exactly do I use blowfish? I've read that crypt() will auto select blowfish if an appropriate salt is provided. If that is the case, What makes a salt blowfish appropriate?

Right now, I have a script that makes a salt out of the date and time, a random number, then hash that for the salt. Is that something I can use with blowfish or not?

Sinasinai answered 10/12, 2012 at 18:17 Comment(1)
For understanding you could have a look at the comments of this example code, for using it, i would strongly recommend to use ircmaxell's excellent api. It is misleading that the second parameter of crypt() is called salt, actually it contains all crypt parameters including the salt.Monafo
M
6

Take a look at http://php.net/manual/en/function.crypt.php

If you scroll down about 1/3, you should see the heading: Example #3 Using crypt() with different hash types. Hopefully this will help! and your salt should be fine!

Miltonmilty answered 10/12, 2012 at 18:22 Comment(2)
I have seen that but I'm still confused. Do I just tack $2a$07$ to the front of my salt (and another $ to the end) to make it use blowfish? Also, what is the 07 in that example, the number of rounds?Sinasinai
Yes exactly, with the 07, the higher number, the more rounds and the longer it takesMiltonmilty
P
12

In short: don't build it yourself. Use a library.

In PHP 5.5, there will be a new API available to make this process easier on you. Here's the RFC for it.

I've also created a backwards-compatibility library for it here: password-compat:

$hash = password_hash($password, PASSWORD_BCRYPT);

And then to verify:

if (password_verify($password, $hash)) {
    /* Valid */
} else {
    /* Invalid */
}

And if you want another library, check out phpass

In short, don't do it yourself. There's no need. Just import the library and be done with it...

Pyramidon answered 10/12, 2012 at 18:27 Comment(5)
I've read that, and will probably use that in the long run, but I like to understand how to do things myself. Thanks for the tip, but it doesn't answer my question.Sinasinai
@sharf: look at what the libraries do (the compat one should be pretty easy to read). That should give you insight on how it all works...Pyramidon
That still doesn't answer my question.Sinasinai
This is not exactly what the OP asks, but this is the answer the OP needsDancette
@BenDuffin: You actually just proved my point with your comment. crypt() can do bcrypt. But it is easy to screw up. It is easy to wind up in a situation where you kill security. Which is why I did not recommend actually using it directly, but using a library. Because cryptography is hard, and you shouldn't do it yourself if you have an alternative. And there are alternatives.Pyramidon
M
6

Take a look at http://php.net/manual/en/function.crypt.php

If you scroll down about 1/3, you should see the heading: Example #3 Using crypt() with different hash types. Hopefully this will help! and your salt should be fine!

Miltonmilty answered 10/12, 2012 at 18:22 Comment(2)
I have seen that but I'm still confused. Do I just tack $2a$07$ to the front of my salt (and another $ to the end) to make it use blowfish? Also, what is the 07 in that example, the number of rounds?Sinasinai
Yes exactly, with the 07, the higher number, the more rounds and the longer it takesMiltonmilty

© 2022 - 2024 — McMap. All rights reserved.