All geek questions in one place

Using Blowfish to Encrypt with PHP

I am working on a registration form where I need to encrypt a password, I heard that I recommend using Blowfish encryption for passwords. How to implement blowfish encryption using PHP crypt () function? In addition, I plan to get a password later for logging in.

+6
source share
2 answers

The short answer is to use crypt with salt starting with the characters $ 2a $ , a two-digit value parameter, $ and 22 digits from the alphabet ./0-9A-Za-Z . This only works on systems that support Blowfish encryption. However, PHP 5.3 implements it natively. See the PHP - crypt manual for more details.

Example:

 crypt('rasmuslerdorf', '$2a$07$somesillystringforsalt')

The salt line starts the corresponding algorithm. The two-digit cost parameter is the logarithm of the base-2 iteration for the basic Blowfish-based hash algorithm and should be in the range [04 - 31]. Example 07 says that the algorithm uses 2 7 or 128 iterations. The higher this number, the more time it will take to execute BUT, in the context of hashing user passwords, i.e. GOOD .

This answer to a similar question explains in more detail what BCrypt is, how it relates to Blowfish and why you should use it. There are several others in the Stack Overflow section .

phpass is a great, easy-to-use password hashing system that works on all systems using Blowfish if it is supported, and return to other algorithms if it isn't.

+6
source

You will never need blowfish to encrypt such a password. The registration form must be above HTTPS, which will handle protection against an attacker on the wire. His password itself must be hashed ( never encrypted ). bcrypt is a good password hash function based on blowfish. But there are many posts related to the secure storage of passwords on SO.

+4
source

Source: https://habr.com/ru/post/918852/

More articles:


All Articles