Reputation:
mcrypt is deprecated? - How to crypt and save a password correctly in PHP?
I was told, that php mcrypt is deprecated and I should use a different method to hash and salt my passwords.
This is what I do currently:
public function saveNewUser(array $data) {
$passwd = $this->mysqli->real_escape_string($datas['passwd']);
$options = [
'cost' => 11,
'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM)
];
$hashed_passwd = password_hash($passwd, PASSWORD_BCRYPT, $options);
$this->optin_hash = md5(rand());
//...
//save user in DB with hashed passwd
Login:
if (password_verify($_POST['user_password'], $result_row->gmw_usr_passwd)) {//do some login stuff}
1.) What is the latest and most secure way to crypt and save a password? Can you give an usage example or link how to save crypt a password correctly and how to verify it for login?
2.) In the php Documentary I read something about password_hash:
password_hash() creates a new password hash using a strong one-way hashing algorithm. password_hash() is compatible with crypt(). Therefore, password hashes created by crypt() can be used with password_hash().
(...)
Warning The salt option has been deprecated as of PHP 7.0.0. It is now preferred to simply use the salt that is generated by default.
2.a) Is password_hash an alternative to what I used?
2.b) So I don't need to add salt by myself?
2.c) What about that blowfish algorythm I used and all the other steps I added? Are they not neccesary anymore?
2.d) how do I verify the passwords for login, when I use password_hash?
EDIT: Sorry I saw that I already use password_hash (it was a very short coding-night).
As described by Artjom B. I don't need mcrypt (?)
Upvotes: 4
Views: 2939
Answers (1)
Reputation:
The new standard way, according to PHP documentation for PHP 7.0, is to use password_hash to hash the original password and then password_verify at login time, to verify the correctness of the provided password.
These function are wrappers around the fundamentals, like crypt() and are recommended because they take care of things that you and I will never think about, like choosing the correct source of randomness for generating the salt (you can't use a standard rand function for encryption).
Coming to 2b and the rest, you don't need to add the salt yourself because it generated by PHP and included in the password, and all the necessary steps are done for you.
You just need to save the hashed password, created with password_hash, on the database and then use it, at login time, to compare it with the user-supplied password using password_verify.
Also, yes mcrypt is deprecated, because it's not updated anymore.
Upvotes: 6
Related Questions
- mcrypt is deprecated, what is the alternative?
- Alternative to mcrypt_encrypt?
- Encryption using crypt()
- Generate/storing/reading Secure MCRYPT Salt
- proper PHP mcrypt encryption methods?
- Alternatives to Mcrypt for encryption / decryption in PHP?
- Correct use of crypt?
- Best practice for a simple encryption class. Am I using crypt and mcrypt well?
- PHP crypt and salt - more clarification please
- is there a native alternative to mcrypt?