what is an alternative to password_hash() for (PHP

2019-01-18 22:42发布

问题:

According to manual: password_hash this function can be used for (PHP 5 >= 5.5.0)

After searching for an alternative way I found this simple function from here: http://www.sitepoint.com/password-hashing-in-php/

function generateHash($password) {
    if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
        $salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);
        return crypt($password, $salt);
    }
}

I can manage my code by using function_exists before using, but My question is about above alternative code if its secure or not, or is there any alternative in older versions of PHP?

回答1:

For PHP versions < 5.3.7, I'd recommend:

http://www.openwall.com/phpass/

For PHP versions >= 5.3.7, use:

https://github.com/ircmaxell/password_compat

Generating your own salts takes a lot of know how, because a good, proper salt requires a lot of entropy. Generating this salt in PHP is troublesome, which is why you usually end up depending on other resources to provide this string for you, such as /dev/urandom or openssl_random_pseudo_bytes. Believe me, this isn't something you want to try yourself without serious research and consideration.

Using the new password_* API is recommended, but it can be problematic if you need to support older versions of PHP, which is where PHPass comes in. Gotta hate those $1 per month hosting plans with PHP 5.2



回答2:

For versions of PHP > 5.3.7 but prior to 5.5.0, you can find an implementation of password_hash at https://github.com/ircmaxell/password_compat written by the same person that developed the version now implemented in PHP 5.5.0+ and deliberately intended to provide backward compatibility