With PHP 5.4 still widely used on production servers and the fact that PHP 5.4 will be end of life in 26 days, I would like to talk about upgrading your PHP to version 5.5 and above. Really we should be upgrading to PHP 5.6 as this is the current stable version.

“Yeah but PHP 5.4 works fine why should we upgrade?” You may ask. Well there are two good reasons for this, the one I want to talk about is the new password hashing functions. So without further ado here we go.

Is there anyone still using MD5 or SHA1 for password hashing? well stop now if you are these are really insecure and breakable especially MD5. We have much better hashing now in the the form of BCRYPT.

password_hash()

The first one is  password_hash() , this is compatible with  crypt() so the way we would use this is

The code will a hashed password that looks like this $2y$10$oweC818QsczxUI3Ny95nd.9HZ/6Of.jK2iBtRSvrHtsj56dFJ3Ri2

As you may have notices this gives us a string length of 60 characters, so we will have to make our password field lengths in our database longer as before with MD5 we had lengths of 32 characters. The recommended length is 255 characters to store passwords in a database this is because we are using  PASSWORD_DEFAULT  as the second parameter, what this does is uses the best algorithm possible which is bcrypt in PHP 5.5 so if in future versions the best algorithm changes we won’t have to make changes to our code because PHP will automatically use the best one.

You also don’t have to worry about a salt either because this function will use a random salt for you. More info on the password_hash()  function here password hash function

password_verify()

So now we have based our password how do we log our users in? Well we use the  password_verify() function which we would use like

First we retrieve the password hash from the database and use the  password_verify() function to check against the supplied password, this function takes two arguments, the plain text user password and the based password and returns true or false depending if the two match. Because the salt is included in the hash we don’t have to worry about that, this makes creating and verifying passwords so much simpler. More info on on this function can be seen on http://php.net/manual/en/function.password-verify.php

password_needs_rehash()

Sometimes our passwords may need rehashing because the default hash has been upgraded to a more secure one. This is where this function comes in after we verify the password against the hash we can check to see if the password hash needs upgrading and if so we can rehash it and store the new hash in our user database. we would use it like this

So now if PHP update the default password algorithm we will rehash our password with it using this method.

So there we have it, this has been a short introduction into these new functions and hope you too will find them useful as I have. These functions will make life for us developers much easier as we now don’t have to worry about using the right hash and salt anymore.

Now over to you and hope you have enjoyed this post, if you have why not leave a comment.