In short: don't build it yourself. Use a library.

In PHP 5.5, there will be a new API available to make this process easier on you. Here's the RFC for it.

I've also created a backwards-compatibility library for it here: password-compat:

$hash = password_hash($password, PASSWORD_BCRYPT);

And then to verify:

if (password_verify($password, $hash)) {
    /* Valid */
} else {
    /* Invalid */

And if you want another library, check out phpass

In short, don't do it yourself. There's no need. Just import the library and be done with it...

  • 12
Reply Report
      • 2
    • @BenDuffin: You actually just proved my point with your comment. crypt() can do bcrypt. But it is easy to screw up. It is easy to wind up in a situation where you kill security. Which is why I did not recommend actually using it directly, but using a library. Because cryptography is hard, and you shouldn't do it yourself if you have an alternative. And there are alternatives.
      • 2
    • I've read that, and will probably use that in the long run, but I like to understand how to do things myself. Thanks for the tip, but it doesn't answer my question.
      • 2
    • @sharf: look at what the libraries do (the compat one should be pretty easy to read). That should give you insight on how it all works...

Take a look at

If you scroll down about 1/3, you should see the heading: Example #3 Using crypt() with different hash types. Hopefully this will help! and your salt should be fine!

  • 6
Reply Report
      • 1
    • I have seen that but I'm still confused. Do I just tack $2a$07$ to the front of my salt (and another $ to the end) to make it use blowfish? Also, what is the 07 in that example, the number of rounds?

Try this - its untested, I just whipped it up to show how to use the BLOWFISH algo with PHP

class cipher {
private static $mode = 'MCRYPT_BLOWFISH';
private static $key = 'q!2wsd#45^532dfgTgf56njUhfrthu&^&ygsrwsRRsf';

public static function encrypt($buffer){
    $iv                 = mcrypt_create_iv(mcrypt_get_iv_size(constant(self::$mode), MCRYPT_MODE_ECB), MCRYPT_RAND); 
    $passcrypt  = mcrypt_encrypt(constant(self::$mode), self::$key, $buffer, MCRYPT_MODE_ECB, $iv); 
    $encode         = base64_encode($passcrypt); 
    return $encode; 

public static function decrypt($buffer){
    $decoded        = base64_decode($buffer); 
    $iv                 = mcrypt_create_iv(mcrypt_get_iv_size(constant(self::$mode), MCRYPT_MODE_ECB), MCRYPT_RAND); 
    $decrypted  = mcrypt_decrypt(constant(self::$mode), self::$key, $decoded, MCRYPT_MODE_ECB, $iv);
    return $decrypted;



To Encrypt:

$mystring = 'a quick brown fox jumped over the lazy llama'; $mystring = cipher::encrypt($mystring);

To Decrypt:

$mystring = cipher::decrypt($myencryptedstring);

  • -3
Reply Report
      • 2
    • A few points: 1. The question is about the password hashing algorithm (see the passwords and crypt tags). 2. You're using ECB. Bad developer, no donut. 3. You're using a static, hard-coded key. Again, bad. 4. You're not storing the IV on encryption, meaning that decrypt will NEVER work (for non-ECB modes)...
      • 1
    • helpful comment - could you rewrite it to suit the conditions you specify please? Although I disagree about the off-question part - the chap wanted to know about how to encrypt with blowfish did he not? Not knowing his code I simply tried to give him a utility to allow him to encrypt and decrypt given data with the blowfish algo. What does non-ECB mode mean as I use quite similar code in some large apps and have had no trouble with it - am i missing something? :S hope not!

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags

Related Questions