THAPA TECHNICAL

HOUSE OF WEB DEVELOPERS AND TECHNOLOGY.

PHP crypt() vs password_hash() Functions


PHP | crypt(), password_hash() Functions


In the previous article on md5(), sha1(), and hash() Functions we saw that one of the major drawbacks of the method was that these algorithms were very fast due to less complexity and thus more vulnerable to attacks, they are even suggested not to use in a full-fledged project of greater importance. Thus, PHP now provides a couple new methods to hash user passwords in a much more optimized and secure way. The methods are discussed as follows:
crypt() Function
Syntax:


string crypt ($string, $salt)
Parameters: The function an take up to a maximum of two parameters as follows:
  • $string: This parameter expects the string to be hashed.
  • $salt: This is an optional parameter by definition but it is almost never expected to leave the salt field undefined. The salt parameter expects a random string to be used as the base of the hashing. Many developers tend to use the combination of some specific fields and random characters appended together.
Return Type: This function returns the hashed string.
As crypt() was better than its predecessors it was widely used, but the reliability of the function was questionable, hence PHP now provides a built-in function to serve the purpose of Password Hashing and is recommended for use.
password_hash() Function
Syntax:
string password_hash($string, $algo, $options)
Parameters: The function an take up to a maximum of three parameters as follows:
  • $string: This parameter expects the string to be hashed.
  • $algo: This parameter expects an integer value that refers to the algorithm to be used for the purpose. Three algorithms are available as follows:
    • PASSWORD_DEFAULT: This is the recommended algo, as the developer team of PHP is adding new algorithms and updating the following to be the best option.
    • PASSWORD_BCRYPT: This algorithm uses the CRYPT_BLOWFISH algorithm and generates a crypt() equivalent hash.
    • PASSWORD_ARGON2I: Uses the Argon2 Hashing Algorithm.
  • $options: This is an optional parameter that expects an array of advanced options as described. The supported options for each algorithm slightly differ from each other. The supported options are as follows:
    Supported options for PASSWORD_BCRYPT:
    • Cost: Maximum Algorithmic Cost to be applied. The default value is 10. Algorithmic cost directly affects the loading time and depends significantly on the hardware running.
    • Salt: Developers can provide manual salts as well, but it is not recommended.
    Supported options for PASSWORD_ARGON2I:
    • Memory cost: Maximum Memory Cost to be applied to generate the hash.
    • Time cost: Maximum Time to be taken to calculate the hash.
    • Threads: Number of threads to be used.
Return Type: This function returns the hashed string on success or FALSE.
Below program illustrates the working of crypt() and password_hash() in PHP:


$str = 'Password'; 

$options = [ 

               'cost' => 10, 

               'salt' => '$P27r06o9!nasda57b2M22'

           ]; 

echo sprintf("Result of crypt() on %s is %s\n",  
$str, crypt($str, $options['salt'])); 

echo sprintf("Result of DEFAULT on %s is %s\n",  $str, password_hash($str, PASSWORD_DEFAULT)); 

echo sprintf("Result of BCRYPT on %s is %s\n", $str,   password_hash($str, PASSWORD_BCRYPT, $options)); 
Output:
Result of crypt() on Password is $PFKQN2rkmKu6
Result of DEFAULT on Password is $2y$10$yqFvDGy
v2Tz4d/A/yulbFe5ISH9oR3gvU7GQLMYRKR7XQJnGpQOau
Result of BCRYPT on Password is $2y$10$JFAyN3Iw
Nm85IW5hc2RhNOlEBYnR992.gf.5FqZhHSbln3a4jtQpi
Important points to note:
  • A hashing algorithm should preferably be a one-way route i.e. there should not exist a decrypt method, following this concept, the described functions has no decrypt method.
  • Not having any decrypting method the validation of password would require to crypting every input provided by the user on time of login, thus PHP provides password_verify() Function to validate the same.
  • crypt() and password_hash() are both compatible with each other. We can say that password_hash() method is a much more user-friendly wrapper of the crypt() method itself.
Reference: