how to do crypt and password_hash in php 5.6

Question

hi can anyone tell me how to use crypt() and and password_hash in php 5.6 please? because i tried and it keeps on giving me this error

Notice: crypt(): No salt parameter was specified.

You must use a randomly generated salt and a strong hash function to produce a secure hash.

Just use `password_hash()` with the defaults. It generates a secure salt and uses the most secure hash algo available for a given PHP version, currently bcrypt. `password_hash()` is essentially just a wrapper around `crypt()` with secure defaults because hardly anyone knows how to use the function properly otherwise. — Sammitch, Dec 14 '15 at 18:01
You really shouldn't use your own salts on password hashes and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). — Jay Blanchard, Dec 14 '15 at 18:44

score 3 · Answer 1 · answered Dec 14 '15 at 20:22

The usage is very straight forward, following example is summing it up:

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_DEFAULT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

The password_hash() function is actually a wrapper around the crypt() function, to handle the difficult parts like generating a safe salt, and to make it future proof. So there is no need to call crypt() directly.

score 1 · Answer 2 · edited Jun 20 '20 at 09:12

1

The function declaration is as follows:

string crypt ( string $str [, string $salt ] )

But the documentation notes this:

The salt parameter is optional. However, crypt() creates a weak password without the salt. PHP 5.6 or later raise an E_NOTICE error without it. Make sure to specify a strong enough salt for better security.

That is to say, you will just have to ignore the notice if you want to continue using the function without a salt (which would be dumb), or use a salt.

Note, however, that the documentation continues on to say this:

password_hash() uses a strong hash, generates a strong salt, and applies proper rounds automatically. password_hash() is a simple crypt() wrapper and compatible with existing password hashes. Use of password_hash() is encouraged.

(That last emphasis is mine.)

edited Jun 20 '20 at 09:12

Community

1
1

answered Dec 14 '15 at 20:36

miken32

42,008
16
111
154

1

@RyanVincent crypt provides the bcrypt implementation. So yeah, it does just wrap crypt internally. – ircmaxell Dec 15 '15 at 01:39
It would be fatal not to provide a salt to the `crypt()` function, it then calculates a single, unsalted DES or MD5 hash, which is nearly the same as to store them plaintext. But as you wrote, there is no reason to call the crypt() function directly. – martinstoeckli Dec 15 '15 at 07:59

how to do crypt and password_hash in php 5.6

2 Answers2