According to manual: password_hash this function can be used for (PHP 5 >= 5.5.0)
After searching for an alternative way I found this simple function from here: http://www.sitepoint.com/password-hashing-in-php/
function generateHash($password) {
if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
$salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);
return crypt($password, $salt);
}
}
I can manage my code by using function_exists
before using, but My question is about above alternative code if its secure or not, or is there any alternative in older versions of PHP?
For PHP versions < 5.3.7, I'd recommend:
http://www.openwall.com/phpass/
For PHP versions >= 5.3.7, use:
https://github.com/ircmaxell/password_compat
Generating your own salts takes a lot of know how, because a good, proper salt requires a lot of entropy. Generating this salt in PHP is troublesome, which is why you usually end up depending on other resources to provide this string for you, such as /dev/urandom
or openssl_random_pseudo_bytes
. Believe me, this isn't something you want to try yourself without serious research and consideration.
Using the new password_*
API is recommended, but it can be problematic if you need to support older versions of PHP, which is where PHPass comes in. Gotta hate those $1 per month hosting plans with PHP 5.2
For versions of PHP > 5.3.7 but prior to 5.5.0, you can find an implementation of password_hash at https://github.com/ircmaxell/password_compat written by the same person that developed the version now implemented in PHP 5.5.0+ and deliberately intended to provide backward compatibility