Compatibility with the password_* functions that ship with PHP 5.5

Overview

password_compat

Build Status Code Climate

This library is intended to provide forward compatibility with the password_* functions that ship with PHP 5.5.

See the RFC for more detailed information.

Requirements

This library requires PHP >= 5.3.7 OR a version that has the $2y fix backported into it (such as RedHat provides). Note that Debian's 5.3.3 version is NOT supported.

The runtime checks have been removed due to this version issue. To see if password_compat is available for your system, run the included version-test.php. If it outputs "Pass", you can safely use the library. If not, you cannot.

If you attempt to use password-compat on an unsupported version, attempts to create or verify hashes will return false. You have been warned!

The reason for this is that PHP prior to 5.3.7 contains a security issue with its BCRYPT implementation. Therefore, it's highly recommended that you upgrade to a newer version of PHP prior to using this layer.

Installation

To install, simply require the password.php file under lib.

You can also install it via Composer by using the Packagist archive.

Usage

Creating Password Hashes

To create a password hash from a password, simply use the password_hash function.

    $hash = password_hash($password, PASSWORD_BCRYPT);

Note that the algorithm that we chose is PASSWORD_BCRYPT. That's the current strongest algorithm supported. This is the BCRYPT crypt algorithm. It produces a 60 character hash as the result.

BCRYPT also allows for you to define a cost parameter in the options array. This allows for you to change the CPU cost of the algorithm:

    $hash = password_hash($password, PASSWORD_BCRYPT, array("cost" => 10));

That's the same as the default. The cost can range from 4 to 31. I would suggest that you use the highest cost that you can, while keeping response time reasonable (I target between 0.1 and 0.5 seconds for a hash, depending on use-case).

Another algorithm name is supported:

    PASSWORD_DEFAULT

This will use the strongest algorithm available to PHP at the current time. Presently, this is the same as specifying PASSWORD_BCRYPT. But in future versions of PHP, it may be updated to use a stronger algorithm if one is introduced. It can also be changed if a problem is identified with the BCRYPT algorithm. Note that if you use this option, you are strongly encouraged to store it in a VARCHAR(255) column to avoid truncation issues if a future algorithm increases the length of the generated hash.

It is very important that you should check the return value of password_hash prior to storing it, because false or null may be returned if it encountered an error.

Verifying Password Hashes

To verify a hash created by password_hash, simply call:

	if (password_verify($password, $hash)) {
		/* Valid */
	} else {
		/* Invalid */
	}

That's all there is to it.

Rehashing Passwords

From time to time you may update your hashing parameters (algorithm, cost, etc). So a function to determine if rehashing is necessary is available:

    if (password_verify($password, $hash)) {
		if (password_needs_rehash($hash, $algorithm, $options)) {
			$hash = password_hash($password, $algorithm, $options);
			/* Store new hash in db */
		}
	}

Security Vulnerabilities

If you have found a security issue, please contact the author directly at [email protected].

Comments
  • Raw length of salt should be 16

    Raw length of salt should be 16

    I think it is bad to require 17 bytes of entropy for the salt, when only 16 bytes are needed. The underlying bcrypt function in crypt expects only 128 bits in the salt.

    opened by TerjeBr 18
  • [ISSUE] Integers aren't

    [ISSUE] Integers aren't "strings" so exception is thrown.

    I generated a 6 digit passcode for a users password using mt_rand this returned an int, when it comes to hashing the int it errors.

    https://github.com/ircmaxell/password_compat/blob/master/lib/password.php#L31

    opened by bweston92 10
  • Refactored the methods into a HashPassword class

    Refactored the methods into a HashPassword class

    Refactored the methods into a HashPassword class for better code organization when using OOP in projects.

    $pwObj = new HashPassword(); $hashedPasswd = $pwObj->password_hash($passwd, PASSWORD_BCRYPT, ["cost" => 10]); echo $hashedPasswd;

    opened by maxxon15 10
  • compatibility with sha512

    compatibility with sha512

    These changes add support for sha512 hashing algorithm. This is often required for compatibility with applications that don't support bcrypt.

    I am far from an expert on this level, but these changes work fine on our setup. What are your thoughts?

    opened by fredericve 9
  • No hash being returned with PHP5.3.8

    No hash being returned with PHP5.3.8

    Hello, I just implemented this excellent library (thanks for creating it) a few days ago.

    Now I got a report from a developer using PHP 5.3.8-ZS5.5.0 (cli) - which is perfectly matching the requirements - that password_hash returns false instead of a hash.

    Seems like crypt() function reported a failure, but I have no clue how to find out why. Testing the same against PHP 5.3.14 works without any problems.

    Any idea ?

    opened by bretrzaun 9
  • Function not outputting the same hash as built-in function

    Function not outputting the same hash as built-in function

    The function doesn't output the same hash as PHP 7.2.

    PHP 5.3.10 using this function $hash = password_hash('mypassword', PASSWORD_BCRYPT, array('cost' => 10)); $hash is $2y$10$mdrfl9XUF9J/qe2wnxopNevC1HtAcVxmYz9JSoetyABJggR7aMmNe

    PHP 7.2.24 calling native password_hash() $hash = password_hash('mypassword', PASSWORD_BCRYPT, array('cost' => 10)); $hash is $2y$10$HV3YTr/Mg2KvijZzUz9VDet.dlLbeKqToYHhodFCnCURgZVz.VEy2

    Am I missing something?

    opened by jjmontgo 8
  • This Repo

    This Repo

    Hi,

    I'm just wondering whether this repo is still being actively maintained by its owner? I'd been recently considering trying to implement something like what this package is intended to do, and it seems like package could be quite useful, but I can see four open pull requests to this repo currently, the oldest open since 2013 and the newest since 2015, and a number of forks with commits made since after the last commit to the parent; Not sure whether it would be better to work directly from the parent, from one of the forks, or something else.

    Your input appreciated, and cheers. :-)

    opened by Maikuolan 7
  • Question: What should happen when an incompatible hash is passed to password_verify?

    Question: What should happen when an incompatible hash is passed to password_verify?

    The documentation says that the hash of password_hash should be passed as hash parameter to password_verify. It does not say anything about the result when this value contains something else.

    I store the result of password_hash in a database and check it against a password later on (as documented). But if the password is not initialized, an empty value is passed to password_verify. The verification fails as crypt() makes up its own salt, but that was for this particular case.

    Are there any guarantees on the validation result when the hash is not exactly a return value of password_hash? (note that the password argument can be anything as this is passed by the user)

    opened by Lekensteyn 7
  • Next tagged release?

    Next tagged release?

    Hello,

    I'd like to know when the next tagged release will be? Your last tag is from over a year ago and there are some fixes that I'd like in production.

    Thanks!

    opened by stevetauber 6
  • Removed use of type-juggling comparison operators

    Removed use of type-juggling comparison operators

    Removed use of type-juggling comparison operators. The type-comparing comparision operators are safer to use in a security-sensitive code and faster [1].

    [1] http://stackoverflow.com/questions/6356826/comparing-versus

    opened by matjon 6
  • password_hash is returning wrong value on error

    password_hash is returning wrong value on error

    altough it states that returns false on error, most of the error checks return null instead, so a " === false " comparison would fail. also, it is inconsistent with password_verify that returns false on "crypt missing" error

    opened by einacio 6
  • PHPCompatibility ruleset for password_compat

    PHPCompatibility ruleset for password_compat

    Hi all,

    This is just a "service message".

    For those people who use this library and use PHPCompatibility in their CI process, there is now a custom ruleset available which can be used to prevent false positives being thrown by PHPCompatibility for the native PHP functionality being polyfilled by this repo.

    You can find the repo for the PHPCompatibilityPasswordCompat ruleset here on Github as well as on Packagist.

    • https://github.com/PHPCompatibility/PHPCompatibilityPasswordCompat
    • https://packagist.org/packages/phpcompatibility/phpcompatibility-passwordcompat

    Hope someone will find it useful :smile:

    P.S.: If anyone is interested in helping us to maintain the ruleset, please open an issue in the repo.

    opened by jrfnl 0
  • php7 Compatibility problem

    php7 Compatibility problem

    105 | ERROR | Function mcrypt_create_iv() is deprecated since PHP 7.1 and removed since PHP 7.2; Use random_bytes() or OpenSSL instead 105 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead 105 | ERROR | The constant "MCRYPT_DEV_URANDOM" is deprecated since PHP 7.1 and removed since PHP 7.2

    opened by oasfuyou 5
  • password_verify fails for hashes from crypt()

    password_verify fails for hashes from crypt()

    When I run the following code in PHP 5.4.45

    $password = 'XXX';
    $salt = 'XX';
    var_dump(password_verify($password, crypt($password, $salt)));
    

    I get false as result. When I run the same code with PHP's native password_verify function, I get true

    opened by flack 3
  • Suggestion: use *.phpt tests from php-src to improve compatibility

    Suggestion: use *.phpt tests from php-src to improve compatibility

    This should be pretty easy to do, since PHPUnit does support *.phpt format. All that is needed is to copy them from php-src and add

    --INI--
    auto_prepend_file=lib/password.php
    

    to each test file.

    opened by weirdan 0
Owner
Anthony Ferrara
Anthony Ferrara
PHP Library to generate random passwords

Password Generator Library Simple library for generating random passwords. Requirements PHP >= 7.1 We only support PHP 7.3+ Installation Install Compo

Daniel Platt 251 Sep 27, 2022
Validates passwords against PHP's password_hash function using PASSWORD_DEFAULT. Will rehash when needed, and will upgrade legacy passwords with the Upgrade decorator.

Password Validator Password Validator validates password_hash generated passwords, rehashes passwords as necessary, and will upgrade legacy passwords.

Jeremy Kendall 142 May 6, 2022
A password policy enforcer for PHP and JavaScript

PasswordPolicy A tool for checking and creating password policies in PHP and JS. Installation Use composer to setup an autoloader php composer.phar in

Anthony Ferrara 74 Sep 27, 2022
GenPhrase is a secure passphrase generator for PHP applications.

About GenPhrase is a secure passphrase generator for PHP applications. GenPhrase is based on passwdqc's pwqgen program. See http://www.openwall.com/pa

timoh 109 Aug 31, 2022
Python implementation of the portable PHP password hashing framework

Portable PHP password hashing framework implemented in Python. This Python implementation meant to be an exact port of the the original PHP version.

Rez 46 Jul 19, 2022
Compatibility with the password_* functions that ship with PHP 5.5

password_compat This library is intended to provide forward compatibility with the password_* functions that ship with PHP 5.5. See the RFC for more d

Anthony Ferrara 2.2k Sep 17, 2022
Check modules in app/code and vendor for PHP 8 compatibility status - PHP_CodeSniffer & php-compatibility standard

M2 PHP version compatibility check How To use Requires PHP 7.3+ | PHP 8 This app will run PHP_CodeSniffer with phpcompatibility/php-compatibility on t

William Tran 21 Aug 8, 2022
This project backports features found in the latest PHP versions and provides compatibility layers for some extensions and functions

This project backports features found in the latest PHP versions and provides compatibility layers for some extensions and functions. It is intended to be used when portability across PHP versions and extensions is desired.

Symfony 2.1k Sep 20, 2022
The Ravioli WooCommerce plugin helps you ship your order with Ravioli.

=== Ravioli for WooCommerce === Contributors: canolcer Tags: ravioli, ecommerce, shipping Requires at least: 5.0 Tested up to: 6.0.1 Stable tag: trunk

Ravioli 2 Aug 4, 2022
Provide CSV, JSON, XML and YAML files as an Import Source for the Icinga Director and optionally ship hand-crafted additional Icinga2 config files

Icinga Web 2 Fileshipper module The main purpose of this module is to extend Icinga Director using some of it's exported hooks. Based on them it offer

Icinga 25 Sep 18, 2022
PHP Compatibility check for PHP_CodeSniffer

PHP Compatibility Coding Standard for PHP CodeSniffer This is a set of sniffs for PHP CodeSniffer that checks for PHP cross-version compatibility. It

PHPCompatibility 1.8k Sep 23, 2022
A drop in replacement for Symphony CMS to upgrade core and selected extensions to PHP 8.0 compatibility

PHP 8 Upgrade Instructions These are the files I have used to upgrade existing Symphony CMS installs to PHP 8.0 compatibility. As always, make sure yo

Phill 3 May 25, 2022
PHP 7 Compatibility Checker

PHP 7 Compatibility Checker(php7cc) Project status The project is no longer supported. Please consider using one of the following alternatives: phan p

null 1.5k Sep 10, 2022
The tool converts different error reporting standards for deep compatibility with popular CI systems (TeamCity, IntelliJ IDEA, GitHub Actions, etc).

JBZoo / CI-Report-Converter Why? Installing Using as GitHub Action Example GitHub Action workflow Available Directions Help description in terminal Co

JBZoo Toolbox 17 Jun 16, 2022
Silverstripe-sspy - Python based SSPAK export with higher reliability and cross-platform compatibility

SSPY - Python Stand-alone SSPAK solution © Simon Firesphere Erkelens; Moss Mossman Cantwell Usage: sspy [create|load|extract] (db|assets) --file=my.

Simon Erkelens 1 Jun 29, 2021
The tool converts different error reporting standards for deep compatibility with popular CI systems (TeamCity, IntelliJ IDEA, GitHub Actions, etc).

JBZoo / CI-Report-Converter Why? Installing Using as GitHub Action Example GitHub Action workflow Available Directions Help description in terminal Co

JBZoo Toolbox 17 Jun 16, 2022
Here is the top 100 PHP functions: it is the list of the most often used PHP native functions

Here is the top 100 PHP functions: it is the list of the most often used PHP native functions. If you are a PHP developer, you must know the Top 100 PHP Functions deeply.

Max Base 13 Aug 30, 2022
Simple MySQL library for PHP 5.4+ includes Query Builder, PDO Native functions, Helper functions for quick use.

Simple MySQL library for PHP 5.4+ includes Query Builder, PDO Native functions, Helper functions for quick use.

Kodols 8 Jul 14, 2022
Magento-Functions - A Resource of Magento Functions

Magento-Functions A Resource of Magento Functions Table of Contents Category Product User Cart Checkout General Account [Working w/ URL's] (#urls) Cat

Bryan Littlefield 28 Apr 19, 2021
Easy to use utility functions for everyday PHP projects. This is a port of the Lodash JS library to PHP

Lodash-PHP Lodash-PHP is a port of the Lodash JS library to PHP. It is a set of easy to use utility functions for everyday PHP projects. Lodash-PHP tr

Lodash PHP 466 Sep 15, 2022