PHP 5.5 password compatibility script for PHP 5.3.x available

essellar

Community Advocate
Community Support
Messages
3,295
Reaction score
227
Points
63
One of the nicest things about PHP 5.5 is its secure password API. The following functions will make secure password management a piece of cake, and will prevent you from doing silly things with your users' passwords, like exposing them in an easy-to-crack fashion. Keep in mind that most people use the same few passwords everywhere, so having an insecure password store on your "little, nobody cares site" isn't just unsafe for your users on your site, it can mean that you're giving away passwords to important things (like online money management, or worse -- email accounts, which probably contain enough user information to cause some real damage). Well, the "it's too hard" and "I don't know how" excuses are gone for good. All you need are:

PHP:
password_hash($password, PASSWORD_DEFAULT);
$status_variable = password_verify($password, $hash);
$status_variable = password_needs_rehash($hash, $algorithm, $options);

Managing the salt, etc., is all taken care of for you (using cryptographially random salts stored with the hash and the algorithm in a single value). All you need to do is provide a nice VARCHAR 256 for it to live in. (Yes, I know the hash produced doesn't need a VARCHAR 256 yet, but that will leave room for more secure algorithms in the future without having to alter any tables. The current version uses BCRYPT with a cost factor of 10, which is also the default for PHP 5.5. Future PHP versions may use something else, like SCRYPT, if BCRYPT becomes vulnerable to faster brute-forcing, and that may require longer hashes to be stored.)

While these are features of PHP 5.5, there is a compatible script for PHP 5.3.x in versions with a $2y$ fix (5.3.7 and higher or RHEL/CentOS patched versions) available on Github at https://github.com/ircmaxell/password_compat. That's a good thing, since upgrading to PHP 5.5 is going to cause some pain around here, so it may be a long time in coming. This script has been tested on x10Hosting Free Hosting servers, and the required crypt compatibility is available. The ReadMe file is available at the Github page, and the PHP manual will tell you the rest.

Be safe, kids — especially with other people's secrets.
 
Last edited:
Top