1

I've used MD5() password hashing in an old application and I want to switch to crypt() hashing since its more secure. But... I don't have any experiance with the crypt() function.

So now for hashing I have this:

  function hashPassword($uPassword) {
        $processingPower = 10;
        $salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
        $salt = sprintf("$2a$%02d$", $processingPower) . $salt;
        $hash = crypt($password, $salt);
        return $hash;
    }

And to compare the password, I have this:

if (crypt($uPassword, $uData['uPassword']) == $uData['uPassword'])

All seems to work fine, but I can still login with the old (MD5) passwords stored in my dB. Is this normal behaviour or is there something wrong in my code?

Matt Ball
  • 354,903
  • 100
  • 647
  • 710
DigiLive
  • 1,093
  • 1
  • 11
  • 28

1 Answers1

1

MD5 passwords start with $1$. crypt() can identify MD5 hashes that way and correctly identifies them (see http://php.net/crypt)

One typical strategy is to determine the hashing type and to update the hash on login, so you can seamlessly update hashes. Ideally you'd use the password_hash() group of functions since they hide the details and prevent you from implementing it wrongly. Should the php developers ever change their defaults (eg. because they were shown to be unsafe), your application would update hashes automatically after a php update.

They're available natively with php 5.5, but for php >= 5.3.7 there's a compatibility library to be found at https://github.com/ircmaxell/password_compat. It essentially does what you wrote above, just with more options, like using openssl if mcrypt isn't available, and it provides the standard API.

Patrick Georgi
  • 688
  • 4
  • 8