Exactly how do I use blowfish in PHP?

sharf picture sharf · Dec 10, 2012 · Viewed 20.7k times · Source

Possible Duplicate:
Best way to use PHP to encrypt and decrypt passwords?

I've been doing a lot with PHP recently and want to make my first login/registration system. As such I've been doing a lot of reading online to figure out the best method(s) for doing this. I've come across a couple of guides and I'm confused on a few instances and I'd like to be sure before I start down this road.

My question is how exactly do I use blowfish? I've read that crypt() will auto select blowfish if an appropriate salt is provided. If that is the case, What makes a salt blowfish appropriate?

Right now, I have a script that makes a salt out of the date and time, a random number, then hash that for the salt. Is that something I can use with blowfish or not?

Answer

ircmaxell picture ircmaxell · Dec 10, 2012

In short: don't build it yourself. Use a library.

In PHP 5.5, there will be a new API available to make this process easier on you. Here's the RFC for it.

I've also created a backwards-compatibility library for it here: password-compat:

$hash = password_hash($password, PASSWORD_BCRYPT);

And then to verify:

if (password_verify($password, $hash)) {
    /* Valid */
} else {
    /* Invalid */
}

And if you want another library, check out phpass

In short, don't do it yourself. There's no need. Just import the library and be done with it...