According to manual: password_hash this function can be used for (PHP 5 >= 5.5.0)
After searching for an alternative way I found this simple function from here: http://www.sitepoint.com/password-hashing-in-php/
function generateHash($password) {
if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
$salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);
return crypt($password, $salt);
}
}
I can manage my code by using function_exists before using, but My question is about above alternative code if its secure or not, or is there any alternative in older versions of PHP?
For PHP versions < 5.3.7, I'd recommend:
http://www.openwall.com/phpass/
For PHP versions >= 5.3.7, use:
https://github.com/ircmaxell/password_compat
Generating your own salts takes a lot of know how, because a good, proper salt requires a lot of entropy. Generating this salt in PHP is troublesome, which is why you usually end up depending on other resources to provide this string for you, such as /dev/urandom or openssl_random_pseudo_bytes. Believe me, this isn't something you want to try yourself without serious research and consideration.
Using the new password_* API is recommended, but it can be problematic if you need to support older versions of PHP, which is where PHPass comes in. Gotta hate those $1 per month hosting plans with PHP 5.2
For versions of PHP > 5.3.7 but prior to 5.5.0, you can find an implementation of password_hash at https://github.com/ircmaxell/password_compat written by the same person that developed the version now implemented in PHP 5.5.0+ and deliberately intended to provide backward compatibility
Related
According to manual: password_hash this function can be used for (PHP 5 >= 5.5.0)
After searching for an alternative way I found this simple function from here: http://www.sitepoint.com/password-hashing-in-php/
function generateHash($password) {
if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
$salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);
return crypt($password, $salt);
}
}
I can manage my code by using function_exists before using, but My question is about above alternative code if its secure or not, or is there any alternative in older versions of PHP?
For PHP versions < 5.3.7, I'd recommend:
http://www.openwall.com/phpass/
For PHP versions >= 5.3.7, use:
https://github.com/ircmaxell/password_compat
Generating your own salts takes a lot of know how, because a good, proper salt requires a lot of entropy. Generating this salt in PHP is troublesome, which is why you usually end up depending on other resources to provide this string for you, such as /dev/urandom or openssl_random_pseudo_bytes. Believe me, this isn't something you want to try yourself without serious research and consideration.
Using the new password_* API is recommended, but it can be problematic if you need to support older versions of PHP, which is where PHPass comes in. Gotta hate those $1 per month hosting plans with PHP 5.2
For versions of PHP > 5.3.7 but prior to 5.5.0, you can find an implementation of password_hash at https://github.com/ircmaxell/password_compat written by the same person that developed the version now implemented in PHP 5.5.0+ and deliberately intended to provide backward compatibility
Code:
echo $a = 'stackoverflow';
echo '<br>';
echo $b = '$2a$10$bf57caf7e1fa23e4b975ab';
echo '<br>CRYPT:<br>';
echo crypt($a, $b);
Results:
PHP 5.2.5
stackoverflow
$2a$10$bf57caf7e1fa23e4b975ab
CRYPT:
$2.LaeiP21fsQ
PHP 5.4.4
stackoverflow
$2a$10$bf57caf7e1fa23e4b975ab
CRYPT:
$2a$10$bf57caf7e1fa23e4b975aOhXjTtYrqOYLfHsxdOxGRhF03.LtKewW
I want to move the script to a new server with PHP 5.4.4
I would like to get the same effect as the 5.2.5 hashes, otherwise I will lose some data
If I use salt with ending $ - the result is the same
I read this:
As of PHP 5.3.0, PHP contains its own implementation and will use that
if the system lacks of support for one or more of the algorithms.
But the algorithm should not be different.
Please help.
Prior to PHP 5.3.0, Blowfish was only available if your system's C library provided it (and almost no one's did). Passing a Blowfish salt in systems that don't have a Blowfish implementation results in a crapshoot of algorithm selection - usually, a DES hash.
I have the following snippet of code:
// bcrypt hash of 'password'
$hash = '$2y$10$4u0cQ.WEnwHDo.C5Nl1vm.shKA0beQ32wqzphSfzklAq9OcDM2nLu';
if(password_verify('password', $hash)) {
print_r('woohoo!');
}
else {
print_r('fubar');
}
On one server it's working fine (woohoo!), on another it doesn't work. I've just put it up on codepad.org and it fails there too.
The problem is (as can be see on that codepad page) that the hash computed by crypt is of length 13 instead of the required 60.
I'm using ircmaxel's password_compat library on github to implement the PHP 5.5 only password_verify function.
It seems that you are running the script on a PHP version smaller than 5.3.7, and therefore the algorithm '2y' is not yet known.
If possible, i would consider to do a PHP upgrade on this server, the '2y' parameter solves a problem with unicode input strings.
Should this not be an option, then you can replace the algorithm in the compatibility pack. Somewhere about line 49 you will find...
$hash_format = sprintf("$2y$%02d$", $cost);
...change it to the former BCrypt constant '2a'...
$hash_format = sprintf("$2a$%02d$", $cost);
...this is of course not optimal, but it is the best you can do on earlier versions.
A new generated password hash will now start with '$2a$10$...' and the verification with this hash-value should work on every system.
I use a php script that hashes passwords using php's crypt and uses SHA512, however when I try to check if SHA512 is set I get the above error. Of course I know WHY I get this error.. php is missing some dependency. I just don't know what that dependency is.
Can anyone please tell me what I need to install (on a Ubuntu server) to be able to use SHA512 in PHP ?
Thanks!
The php docs say that built-in support for SHA-256 and SHA-512 was added in PHP 5.3.2. If you use any earlier versions of PHP, it relies on implementations of those algorithms provided by your system, which apparently yours does not have.
Make sure you have newest version of PHP5 and install mcrypt - also contains alot of other encryption methods like rinjdael (AES)
Bottom line, you should be using mcrypt, not SHA512 or any md5 style hasher. It's too easy to brute force decrypt them. There is a ton of good reference at http://www.php.net/manual/en/function.mcrypt-generic.php and all over google. Below is an example of a 3DES hashed URL using the reference function urlsafe_b64encode from http://www.php.net/manual/en/function.mcrypt-generic.php#71135
$key = "what can i tell you";
$request = http_build_query($_REQUEST);
$request_enc = urlencode(urlsafe_b64encode(mcrypt_ecb(MCRYPT_3DES, $key, $request, MCRYPT_ENCRYPT)));
$url = "http://localhost/takemerightthere/".$request_enc;
I am searching for any crypto library that provides SHA-512 hash. Googling around I found some but SHA-512 is absent.
Please suggest.
If you are using PHP >= 5.3, the function openssl_digest should do the trick :
echo openssl_digest('glop', 'sha512');
gives me this output (splitted in two lines to get better readibility) :
416b1861951170e1f6eb6543b0dd3d4f1994ce8da7cd82061513d3ddd1dd81111
f4ada5caf6421f1d17425c6f29bdb4a95cf84df9eda4164f5a762acbb490a68
(And you can use openssl_get_md_methods to get the list of available digest methods)
And with PHP 5.1 or 5.2, you have the hash function :
echo hash('sha512', 'glop');
gives me the same output (splitted, too) :
416b1861951170e1f6eb6543b0dd3d4f1994ce8da7cd82061513d3ddd1dd81111
f4ada5caf6421f1d17425c6f29bdb4a95cf84df9eda4164f5a762acbb490a68
And, here, to know the list of available digest methods, you can use hash_algos
In PHP 5 >= 5.1.2, PECL hash >= 1.1:
hash('sha512', someStr);
See hash() for more information.
To see all hash algorithms available to you, try:
print_r(hash_algos());