Compatibility with the password_* functions that ship with PHP 5.5

Related tags

password_compat
Overview

password_compat

Build Status Code Climate

This library is intended to provide forward compatibility with the password_* functions that ship with PHP 5.5.

See the RFC for more detailed information.

Requirements

This library requires PHP >= 5.3.7 OR a version that has the $2y fix backported into it (such as RedHat provides). Note that Debian's 5.3.3 version is NOT supported.

The runtime checks have been removed due to this version issue. To see if password_compat is available for your system, run the included version-test.php. If it outputs "Pass", you can safely use the library. If not, you cannot.

If you attempt to use password-compat on an unsupported version, attempts to create or verify hashes will return false. You have been warned!

The reason for this is that PHP prior to 5.3.7 contains a security issue with its BCRYPT implementation. Therefore, it's highly recommended that you upgrade to a newer version of PHP prior to using this layer.

Installation

To install, simply require the password.php file under lib.

You can also install it via Composer by using the Packagist archive.

Usage

Creating Password Hashes

To create a password hash from a password, simply use the password_hash function.

    $hash = password_hash($password, PASSWORD_BCRYPT);

Note that the algorithm that we chose is PASSWORD_BCRYPT. That's the current strongest algorithm supported. This is the BCRYPT crypt algorithm. It produces a 60 character hash as the result.

BCRYPT also allows for you to define a cost parameter in the options array. This allows for you to change the CPU cost of the algorithm:

    $hash = password_hash($password, PASSWORD_BCRYPT, array("cost" => 10));

That's the same as the default. The cost can range from 4 to 31. I would suggest that you use the highest cost that you can, while keeping response time reasonable (I target between 0.1 and 0.5 seconds for a hash, depending on use-case).

Another algorithm name is supported:

    PASSWORD_DEFAULT

This will use the strongest algorithm available to PHP at the current time. Presently, this is the same as specifying PASSWORD_BCRYPT. But in future versions of PHP, it may be updated to use a stronger algorithm if one is introduced. It can also be changed if a problem is identified with the BCRYPT algorithm. Note that if you use this option, you are strongly encouraged to store it in a VARCHAR(255) column to avoid truncation issues if a future algorithm increases the length of the generated hash.

It is very important that you should check the return value of password_hash prior to storing it, because false or null may be returned if it encountered an error.

Verifying Password Hashes

To verify a hash created by password_hash, simply call:

	if (password_verify($password, $hash)) {
		/* Valid */
	} else {
		/* Invalid */
	}

That's all there is to it.

Rehashing Passwords

From time to time you may update your hashing parameters (algorithm, cost, etc). So a function to determine if rehashing is necessary is available:

    if (password_verify($password, $hash)) {
		if (password_needs_rehash($hash, $algorithm, $options)) {
			$hash = password_hash($password, $algorithm, $options);
			/* Store new hash in db */
		}
	}

Security Vulnerabilities

If you have found a security issue, please contact the author directly at [email protected].

Issues
  • Raw length of salt should be 16

    Raw length of salt should be 16

    I think it is bad to require 17 bytes of entropy for the salt, when only 16 bytes are needed. The underlying bcrypt function in crypt expects only 128 bits in the salt.

    opened by TerjeBr 18
  • Updated password hashing for blowfish algorithm to be used by pre PHP 5....

    Updated password hashing for blowfish algorithm to be used by pre PHP 5....

    ...3.7 versions. These versions only use the $2a$ hash prefix.

    opened by fritszwegers 12
  • Refactored the methods into a HashPassword class

    Refactored the methods into a HashPassword class

    Refactored the methods into a HashPassword class for better code organization when using OOP in projects.

    $pwObj = new HashPassword(); $hashedPasswd = $pwObj->password_hash($passwd, PASSWORD_BCRYPT, ["cost" => 10]); echo $hashedPasswd;

    opened by maxxon15 10
  • [ISSUE] Integers aren't

    [ISSUE] Integers aren't "strings" so exception is thrown.

    I generated a 6 digit passcode for a users password using mt_rand this returned an int, when it comes to hashing the int it errors.

    https://github.com/ircmaxell/password_compat/blob/master/lib/password.php#L31

    opened by bweston92 10
  • No hash being returned with PHP5.3.8

    No hash being returned with PHP5.3.8

    Hello, I just implemented this excellent library (thanks for creating it) a few days ago.

    Now I got a report from a developer using PHP 5.3.8-ZS5.5.0 (cli) - which is perfectly matching the requirements - that password_hash returns false instead of a hash.

    Seems like crypt() function reported a failure, but I have no clue how to find out why. Testing the same against PHP 5.3.14 works without any problems.

    Any idea ?

    opened by bretrzaun 9
  • compatibility with sha512

    compatibility with sha512

    These changes add support for sha512 hashing algorithm. This is often required for compatibility with applications that don't support bcrypt.

    I am far from an expert on this level, but these changes work fine on our setup. What are your thoughts?

    opened by fredericve 9
  • Function not outputting the same hash as built-in function

    Function not outputting the same hash as built-in function

    The function doesn't output the same hash as PHP 7.2.

    PHP 5.3.10 using this function $hash = password_hash('mypassword', PASSWORD_BCRYPT, array('cost' => 10)); $hash is $2y$10$mdrfl9XUF9J/qe2wnxopNevC1HtAcVxmYz9JSoetyABJggR7aMmNe

    PHP 7.2.24 calling native password_hash() $hash = password_hash('mypassword', PASSWORD_BCRYPT, array('cost' => 10)); $hash is $2y$10$HV3YTr/Mg2KvijZzUz9VDet.dlLbeKqToYHhodFCnCURgZVz.VEy2

    Am I missing something?

    opened by jjmontgo 8
  • Question: What should happen when an incompatible hash is passed to password_verify?

    Question: What should happen when an incompatible hash is passed to password_verify?

    The documentation says that the hash of password_hash should be passed as hash parameter to password_verify. It does not say anything about the result when this value contains something else.

    I store the result of password_hash in a database and check it against a password later on (as documented). But if the password is not initialized, an empty value is passed to password_verify. The verification fails as crypt() makes up its own salt, but that was for this particular case.

    Are there any guarantees on the validation result when the hash is not exactly a return value of password_hash? (note that the password argument can be anything as this is passed by the user)

    opened by Lekensteyn 7
  • This Repo

    This Repo

    Hi,

    I'm just wondering whether this repo is still being actively maintained by its owner? I'd been recently considering trying to implement something like what this package is intended to do, and it seems like package could be quite useful, but I can see four open pull requests to this repo currently, the oldest open since 2013 and the newest since 2015, and a number of forks with commits made since after the last commit to the parent; Not sure whether it would be better to work directly from the parent, from one of the forks, or something else.

    Your input appreciated, and cheers. :-)

    opened by Maikuolan 7
  • password_hash is returning wrong value on error

    password_hash is returning wrong value on error

    altough it states that returns false on error, most of the error checks return null instead, so a " === false " comparison would fail. also, it is inconsistent with password_verify that returns false on "crypt missing" error

    opened by einacio 6
  • A

    A

    opened by Amitmalik748452 0
  • Update .travis.yml to use Precise/Xenial distributions

    Update .travis.yml to use Precise/Xenial distributions

    More info: https://docs.travis-ci.com/user/languages/php/#choosing-php-versions-to-test-against

    opened by sanmai 16
  • PHPCompatibility ruleset for password_compat

    PHPCompatibility ruleset for password_compat

    Hi all,

    This is just a "service message".

    For those people who use this library and use PHPCompatibility in their CI process, there is now a custom ruleset available which can be used to prevent false positives being thrown by PHPCompatibility for the native PHP functionality being polyfilled by this repo.

    You can find the repo for the PHPCompatibilityPasswordCompat ruleset here on Github as well as on Packagist.

    • https://github.com/PHPCompatibility/PHPCompatibilityPasswordCompat
    • https://packagist.org/packages/phpcompatibility/phpcompatibility-passwordcompat

    Hope someone will find it useful :smile:

    P.S.: If anyone is interested in helping us to maintain the ruleset, please open an issue in the repo.

    opened by jrfnl 0
  • php7 Compatibility problem

    php7 Compatibility problem

    105 | ERROR | Function mcrypt_create_iv() is deprecated since PHP 7.1 and removed since PHP 7.2; Use random_bytes() or OpenSSL instead 105 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead 105 | ERROR | The constant "MCRYPT_DEV_URANDOM" is deprecated since PHP 7.1 and removed since PHP 7.2

    opened by oasfuyou 5
  • README.md Sentence structure improvement

    README.md Sentence structure improvement

    Fixed the sentence structure to make it easier to read.

    opened by Script47 1
  • mysqli_real_escape_string

    mysqli_real_escape_string

    mysql function against string injection not working

    opened by COLEY434 0
  • password_verify fails for hashes from crypt()

    password_verify fails for hashes from crypt()

    When I run the following code in PHP 5.4.45

    $password = 'XXX';
    $salt = 'XX';
    var_dump(password_verify($password, crypt($password, $salt)));
    

    I get false as result. When I run the same code with PHP's native password_verify function, I get true

    opened by flack 3
  • Suggestion: use *.phpt tests from php-src to improve compatibility

    Suggestion: use *.phpt tests from php-src to improve compatibility

    This should be pretty easy to do, since PHPUnit does support *.phpt format. All that is needed is to copy them from php-src and add

    --INI--
    auto_prepend_file=lib/password.php
    

    to each test file.

    opened by weirdan 0
  • Accept DES hashes

    Accept DES hashes

    Native password_verify() does accept old insecure DES hashes (https://3v4l.org/hKl4X). This pull request re-enables verifying (but not creating) them.

    opened by weirdan 24
  • Cannot verify the password after hashing

    Cannot verify the password after hashing

    I have tested the password_verify of PHP that does not verify correctly. I am using centOS and PHP version 5.3.3. It is always to return true with different passwords when i verify it. Is my code has bug?

    Here is my code:

    $password = 'k32AlGOPqvCzoh*Sp(Hdrr26]M=lQb00R&W=hew|-|([(03vp==A8%m?l=eA2^bs_|\qVV3WZ';
    
    $verify_pw = 'k32AlGOPqvCzoh*Sp(Hdrr26]M=lQb00R&W=hew|-|([(03vp==A8%m?l=eA2^bs_|\qVV3WZasdasdasdasdqweqa13123';
    
    $options = array(
                'cost' => 15
            );
    
    $hash = password_hash($password, PASSWORD_BCRYPT,$options);
    
    var_dump(password_verify($verify_pw ,$hash)); // sometime true sometime false
    
    opened by jackyshek 1
Owner
Anthony Ferrara
Anthony Ferrara
A library for generating and validating passwords

PHP-PasswordLib Build Status Version The current version is considered Beta. This means that it is ready enough to test and use, but beware that you s

Anthony Ferrara 372 Jul 7, 2021
GenPhrase is a secure passphrase generator for PHP applications.

About GenPhrase is a secure passphrase generator for PHP applications. GenPhrase is based on passwdqc's pwqgen program. See http://www.openwall.com/pa

timoh 94 Aug 29, 2021
Realistic PHP password strength estimate library based on Zxcvbn JS

Zxcvbn-PHP is a password strength estimator using pattern matching and minimum entropy calculation. Zxcvbn-PHP is based on the the Javascript zxcvbn p

Ben Jeavons 654 Aug 29, 2021
PHP Library to generate random passwords

Password Generator Library Simple library for generating random passwords. Requirements PHP >= 7.1 We only support PHP 7.3+ Installation Install Compo

Daniel Platt 235 Sep 7, 2021
Python implementation of the portable PHP password hashing framework

Portable PHP password hashing framework implemented in Python. This Python implementation meant to be an exact port of the the original PHP version.

Rez 46 Nov 25, 2019
A password policy enforcer for PHP and JavaScript

PasswordPolicy A tool for checking and creating password policies in PHP and JS. Installation Use composer to setup an autoloader php composer.phar in

Anthony Ferrara 71 Jul 3, 2021