PHP Bcrypt hashing

I want to use Bl开发者_开发问答owfish hashing to hash password.

crypt() does not support it in PHP versions prior to 5.3

My PHP version is 5.2.14. How can I use Blowfish hashing? Can I use PEAR's Crypt_Blowfish instead?

PEAR's Crypt_Blowfish is meant to stand in for PHP's MCrypt extension - it's a two-way encryption scheme, not for hashing. While bcrypt is based on Blowfish, it's not the same thing. Confusingly, PHP 5.3.0's CRYPT_BLOWFISH is a hashing algorithm.

Is there a reason why upgrading to PHP 5.3.0+ would not be possible? This isn't something you want to try to implement yourself. If you can, phpass is a great way to do bcrypt-based password hashing securely. If you absolutely can't upgrade, phpass falls back to older hashing schemes (but it's still more secure than plain MD5, etc).

If for some reason you can install Suhosin but not upgrade PHP, that would add CRYPT_BLOWFISH support.

To make sure you don't currently have CRYPT_BLOWFISH installed, try the following:

 echo (CRYPT_BLOWFISH === 1) ? 'CRYPT_BLOWFISH is enabled!' : 'CRYPT_BLOWFISH is not available'; 

PEAR's Crypt_Blowfish package provides blowfish encryption using the mcrypt extension if it is available, and if not it implements the blowfish algorithm natively in php. It does not fall back to using any other form of encryption.

There is no "hand-written" documentation for the package though, there is auto-generated API documentation derived from annotations in the package itself.

This is how I use it to encrypt:

$bf = Crypt_Blowfish::factory('ecb', null, null, CRYPT_BLOWFISH_PHP);
$iv = 'abc123+=';                                                      
$key = BLOWFISH_KEY;                                                   
$bf->setKey($key, $iv);                                                
$encrypted = bin2hex($bf->encrypt($password));        

And to decrypt:

$bf = Crypt_Blowfish::factory('ecb', null, null, CRYPT_BLOWFISH_PHP);       
$iv = 'abc123+=';                                                              
$key = BLOWFISH_KEY;                                                           
$bf->setKey($key, $iv);                                                        
$decrypted = trim($bf->decrypt(hex2bin($password))); 

Where BLOWFISH_KEY is a constant which I've defined elsewhere in the code.

In these examples I am explicitly using the PHP implementation.

If I wanted Crypt_Blowfish to decide which engine to use, i.e. to determine if it can use the mcrypt extension if it is available (and otherwise use the php implementation) then I'd change over with CRYPT_BLOWFISH_AUTO. To explicitly use the mcrypt extension, specify CRYPT_BLOWFISH_MCRYPT.