Using Blowfish for Encryption with PHP
I am working on a registration form where I need to encrypt password, I've heard that it is recommended for me to use the Blowfish encryption for passwords, How do you implement a blowfish encryption using PHP crypt() function? also, I am planning to retrieve the password later for logging in.
Answer
The short answer is use crypt with a salt beginning with the characters $2a$, a two digit cost parameter, $, and 22 digits from the alphabet ./0-9A-Za-z. That only works on systems that support the Blowfish encryption algorithm. However, PHP 5.3 implements it natively. See PHP manual — crypt for more details.
Example:
crypt('rasmuslerdorf', '$2a$07$somesillystringforsalt')
The salt string triggers the appropriate algorithm. The two digit cost parameter is the base-2 logarithm of the iteration count for the underlying Blowfish-based hashing algorithm and must be in range [04 – 31]. In the example 07 tells the algorithm to use 27 or 128 iterations. The higher this number, the longer it will take to execute BUT, in the context of hashing user passwords, that is a GOOD thing.
This answer to a similar question explains in more detail what BCrypt is,how it relates to Blowfish, and why you should use it. There are many other related topics here on Stack Overflow.
phpass is an excellent, easy to use password hashing framework that works on all systems, using Blowfish if it’s supported, and falling back to other algorithms if it’s not.