I am contributing to a relatively mature open source PHP project. I recently discovered that it stores passwords as simple MD5 hashes, which bothers me a lot. I thought that if I was going to fix this, I could also do it correctly (tm), so I wanted to use bcrypt.
First, what I found for other languages: bcrypt-ruby seems to use either the C source code from OpenBSD or the jBCrypt java code. py-bcrypt is a thin shell around BSD code. BCrypt.net is a direct port to jBCrypt .
Now PHP itself supports bcrypt (although it is mistakenly called simply "blowfish") in the crypt function . However, versions prior to 5.3 require support for the system itself, usually provided by crypt_blowfish . phpass is the same and recommends installing either PHP 5.3 or Suhosin .
Since many application users use standard shared hosting, I do not want to require any special server configuration. I was hoping to just steal the code from the PHP 5.3 release, but it is in C, and (from the small number of readings I just made), I cannot require the use of the C extension for project users.
I thought that I was just creating a bcrypt port with pure PHP, but looking at the source of jBCrypt I am not sure what should, given that I am not very familiar with PHP or blowfish, and the error here can be both dangerous and difficult to detect in the first place.
So, I present to you two (multi-part) questions:
- Is my lack of PHP knowledge getting better than me? Can I use one of the already created implementations?
- Should I instead just create a simple loooping function that calls
sha1() or md5() several times for some custom number of times?
security php passwords bcrypt
Xiong Chiamiov
source share