Jump to content

Secure Password Salt and Hashing: Blowfish


Go to solution Solved by Jacques1,

Recommended Posts

<?php 
	function cryptPass($input, $rounds = 9){
	
		$salt = "";
	
		$saltChars = array_merge(range('A','Z'), range('a','z'), range(0,9));
	
		for($i = 0; $i < 22; $i++){
	
			$salt .= $saltChars[array_rand($saltChars)];
	
		}
		
		return crypt($input, sprintf('$2y$%02d$', $rounds) . $salt);
	
	}

	echo $inputPass = "password2";

	echo $pass = "password";

	$hashedPass = cryptPass($pass);

	echo $hashedPass;

	if(crypt($inputPass, $hashedPass) == $hashedPass){
	
		echo "<br /><h1>Password is a match = log user in</h1>";
	
	}else{
	
		echo "<br />Password does not match = do not log in";
	
	}
?>

My PHP version 5.2

When I run above code I am getting the password match answer. I should have get error message.

Can anyone advise me .

Thank you.

  • Solution

There's a lot wrong with this.

 

First of all, PHP 5.2 is hopelessly outdated. It was abandoned back in 2011 and is full of unfixed bugs. Even worse: The bcrypt implementation of all PHP versions before 5.3.7 is broken. So you cannot use PHP 5.2. If that's all you get from your webhoster, then there's something very wrong with their update policy. Get away from them and get a proper hoster.

 

Secondly, never just copy and paste some code you found somewhere on the Internet. Whoever wrote this implementation clearly doesn't know what she's doing. The salt alphabet is wrong, the salt is not random, and there's no error checking whatsoever. This is badly screwed up.

 

Last but not least, never fumble with cryptography on such a low level. When you call crypt() directly, you're doing it wrong. This function is highly complex and shouldn't be used by anybody but library authors.

 

So:

  • Get a proper webhoster with an up-to-date PHP version. You need at least 5.3.7 to use bcrypt. The current version is in fact 5.5.
  • If you can get PHP 5.5, use the new Password Hashing extension. It offers a nice high-level interface for password hashing and takes care of all the ugly details. If you cannot get PHP 5.5, you need a proper library. Use the password_compat library by Anthony Ferrara.
  • You need to get familiar with error checking, especially when you deal with security code. You can't just call a function and assume that it always runs successfully. What if it fails? You need to check that by looking at the return value.
  • Like 1

I've done some research on the web and found that the crypt_blowfish function using this hashing algorithm is used in php 5.3.0+. If you insist to use it probably you would need to create a patch for this older php version, which isn't a good idea. Why do you want/need to use this version of php?   

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.