We Keep Coding

Password hashing for php 5.3.3 [duplicate]

According to manual: password_hash this function can be used for (PHP 5 >= 5.5.0)
After searching for an alternative way I found this simple function from here: http://www.sitepoint.com/password-hashing-in-php/
function generateHash($password) {
if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
$salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);
return crypt($password, $salt);
}
}
I can manage my code by using function_exists before using, but My question is about above alternative code if its secure or not, or is there any alternative in older versions of PHP?

For PHP versions < 5.3.7, I'd recommend:
http://www.openwall.com/phpass/
For PHP versions >= 5.3.7, use:
https://github.com/ircmaxell/password_compat
Generating your own salts takes a lot of know how, because a good, proper salt requires a lot of entropy. Generating this salt in PHP is troublesome, which is why you usually end up depending on other resources to provide this string for you, such as /dev/urandom or openssl_random_pseudo_bytes. Believe me, this isn't something you want to try yourself without serious research and consideration.
Using the new password_* API is recommended, but it can be problematic if you need to support older versions of PHP, which is where PHPass comes in. Gotta hate those $1 per month hosting plans with PHP 5.2

For versions of PHP > 5.3.7 but prior to 5.5.0, you can find an implementation of password_hash at https://github.com/ircmaxell/password_compat written by the same person that developed the version now implemented in PHP 5.5.0+ and deliberately intended to provide backward compatibility

what is an alternative to password_hash() for (PHP 5 < 5.5.0)?

According to manual: password_hash this function can be used for (PHP 5 >= 5.5.0)
After searching for an alternative way I found this simple function from here: http://www.sitepoint.com/password-hashing-in-php/
function generateHash($password) {
if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
$salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);
return crypt($password, $salt);
}
}
I can manage my code by using function_exists before using, but My question is about above alternative code if its secure or not, or is there any alternative in older versions of PHP?

For PHP versions < 5.3.7, I'd recommend:
http://www.openwall.com/phpass/
For PHP versions >= 5.3.7, use:
https://github.com/ircmaxell/password_compat
Generating your own salts takes a lot of know how, because a good, proper salt requires a lot of entropy. Generating this salt in PHP is troublesome, which is why you usually end up depending on other resources to provide this string for you, such as /dev/urandom or openssl_random_pseudo_bytes. Believe me, this isn't something you want to try yourself without serious research and consideration.
Using the new password_* API is recommended, but it can be problematic if you need to support older versions of PHP, which is where PHPass comes in. Gotta hate those $1 per month hosting plans with PHP 5.2

For versions of PHP > 5.3.7 but prior to 5.5.0, you can find an implementation of password_hash at https://github.com/ircmaxell/password_compat written by the same person that developed the version now implemented in PHP 5.5.0+ and deliberately intended to provide backward compatibility

Different versions of PHP different results of crypt ()

Code:
echo $a = 'stackoverflow';
echo '<br>';
echo $b = '$2a$10$bf57caf7e1fa23e4b975ab';
echo '<br>CRYPT:<br>';
echo crypt($a, $b);
Results:
PHP 5.2.5
stackoverflow
$2a$10$bf57caf7e1fa23e4b975ab
CRYPT:
$2.LaeiP21fsQ
PHP 5.4.4
stackoverflow
$2a$10$bf57caf7e1fa23e4b975ab
CRYPT:
$2a$10$bf57caf7e1fa23e4b975aOhXjTtYrqOYLfHsxdOxGRhF03.LtKewW
I want to move the script to a new server with PHP 5.4.4
I would like to get the same effect as the 5.2.5 hashes, otherwise I will lose some data
If I use salt with ending $ - the result is the same
I read this:
As of PHP 5.3.0, PHP contains its own implementation and will use that
if the system lacks of support for one or more of the algorithms.
But the algorithm should not be different.
Please help.

Prior to PHP 5.3.0, Blowfish was only available if your system's C library provided it (and almost no one's did). Passing a Blowfish salt in systems that don't have a Blowfish implementation results in a crapshoot of algorithm selection - usually, a DES hash.

Use of undefined constant CRYPT_SHA512

I use a php script that hashes passwords using php's crypt and uses SHA512, however when I try to check if SHA512 is set I get the above error. Of course I know WHY I get this error.. php is missing some dependency. I just don't know what that dependency is.
Can anyone please tell me what I need to install (on a Ubuntu server) to be able to use SHA512 in PHP ?
Thanks!

The php docs say that built-in support for SHA-256 and SHA-512 was added in PHP 5.3.2. If you use any earlier versions of PHP, it relies on implementations of those algorithms provided by your system, which apparently yours does not have.

Make sure you have newest version of PHP5 and install mcrypt - also contains alot of other encryption methods like rinjdael (AES)

Bottom line, you should be using mcrypt, not SHA512 or any md5 style hasher. It's too easy to brute force decrypt them. There is a ton of good reference at http://www.php.net/manual/en/function.mcrypt-generic.php and all over google. Below is an example of a 3DES hashed URL using the reference function urlsafe_b64encode from http://www.php.net/manual/en/function.mcrypt-generic.php#71135
$key = "what can i tell you";
$request = http_build_query($_REQUEST);
$request_enc = urlencode(urlsafe_b64encode(mcrypt_ecb(MCRYPT_3DES, $key, $request, MCRYPT_ENCRYPT)));
$url = "http://localhost/takemerightthere/".$request_enc;

(PHP) How to use crypt() with CRYPT_BLOWFISH?

First, I see that to use CRYPT_BLOWFISH, i need to use a 16 char salt starting with $2a$. However, the php.net documentation for crypt() says that some systems don't support CRYPT_BLOWFISH. How often is that the case?
Next, from their example on the docs, I see I use crypt() as follows:
<?php
$password = crypt('mypassword'); // let the salt be automatically generated
/* You should pass the entire results of crypt() as the salt for comparing a
password, to avoid problems when different hashing algorithms are used. (As
it says above, standard DES-based password hashing uses a 2-character salt,
but MD5-based hashing uses 12.) */
if (crypt($user_input, $password) == $password) {
echo "Password verified!";
}
?>
In order to use CRYPT_BLOWFISH, would the only thing I need to modify be the first line to make it like so;
crypt('mypassword', '$2a$07$usesomesillystringforsalt$')
and then the rest of the lines are fine as is?

For PHP before 5.3.0 crypt() used the lib supplied by the OS. If you are using an earlier version, then you'd need to check your OS documentation to see if it is supported (check the value of the CRYPT_BLOWFISH constant) - if not then the algorithm is implemented within the mcrypt() extension for PHP.
The example you've quoted from the docs doesn't seem to make much sense:
$stored_password=fetch_password($user);
if (crypt($_REQUEST['password'],$stored_password)===$stored_password) {
// note that crypt automatically extracts the salt and alogrithm type
// from $stored_password
....
You only need to specify the prefix ($2a$) when creating the password.
HTH
C.