Member Avatar for iamthwee

K, so I'm using crypt() to hash my passwords as that seems to be the latest and greatest advice circulating on the net. OK, no problem this I'm doing as luckily my production server supports 5.3 ... Well I have my own VPS so upgrading wouldn't be an issue except it's got a lot of other crapola on there which needs to be backwards compatible.

But I got a few queries. If I was to move to a different server but copy the same db over of the hashs already generated would it still decrypt the password properly. I read somewhere that the hash it uses depends on the server it is on. Would there be any portability issues?

The other concern is, I don't quite get how it works per se. Do you need to salt it? How do you know the algo it uses by default is strong enough.

Lastly, I'm using this in CodeIgniter. I don't think it should be an issue as I am using this as a standalone function... But is that safe to do so?

Ta.

Member Avatar for diafol

Do you need to salt it?

From the manual:

However, crypt() creates weak password without salt. PHP 5.6 or later raise E_NOTICE error without it. Make sure specify strong enough salt for better security.

Keeping at 5.3 is probably a bad idea. Moving onwards, you could use the new password hash functions.

Member Avatar for iamthwee

Keeping at 5.3 is probably a bad idea

Indeed but then there are real world problems, real world contraints to consider, such as converting legacy code some (thousands of lines long - which work) the time and cost.

I'm just concerned that this crypt() functions seems dependent on the Operating System and not even the PHP version. I mean this is a pretty big concern isn't it?

On one system with the same version of PHP installed my hashes are small, on the other it is stronger. [exact same password and code]

Although that is a concern, more to the point is portability.

Let's say in the future I move server or something... Are those hashes now backwards compatible? Or do I need to send all users a 'reset password email?'

I just don't particularly like the fact I don't know what encryption cypher it is using.

I'm even tempted to use $this->encrypt->SHA256()... I mean at least that way given the same versions of PHP I can expect some consistency?

Member Avatar for diafol

I've been using hash_hmac. I think you're right to say that you'll produce different hashes on different versions of php and servers with crypt.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.