Exactly how do I use blowfish in PHP?
Possible Duplicate:
Best way to use PHP to encrypt and decrypt passwords?
I've been doing a lot with PHP recently and want to make my first login/registration system. As such I've been doing a lot of reading online to figure out the best method(s) for doing this. I've come across a couple of guides and I'm confused on a few instances and I'd like to be sure before I start down this road.
My question is how exactly do I use blowfish? I've read that crypt() will auto select blowfish if an appropriate salt is provided. If that is the case, What makes a salt blowfish appropriate?
Right now, I have a script that makes a salt out of the date and time, a random number, then hash that for the salt. Is that something I can use with blowfish or not?
Answer
In short: don't build it yourself. Use a library.
In PHP 5.5, there will be a new API available to make this process easier on you. Here's the RFC for it.
I've also created a backwards-compatibility library for it here: password-compat:
$hash = password_hash($password, PASSWORD_BCRYPT);
And then to verify:
if (password_verify($password, $hash)) {
/* Valid */
} else {
/* Invalid */
}
And if you want another library, check out phpass
In short, don't do it yourself. There's no need. Just import the library and be done with it...