4

I am working on upgrading my code base to PHP-7 and I'm having trouble with some old users that have a salt format that is not compatible with DES. My idea is to authenticate the user and then transform the hash salt into a new format like Blowfish that is compatible with the new crypt.

The problem comes when I try to use 'crypt()' with the old salt in order to authenticate the user before changing the salt, I get the following error:

crypt(): Supplied salt is not valid for DES. Possible bug in provided salt format.

Is there are way to use crypt (or an alternative function) with other algorithms so I can use the old format salt?

lgomezma
  • 1,597
  • 2
  • 15
  • 30
  • 1
    Did you try `password_hash`? *password_hash() uses a strong hash, generates a strong salt, and applies proper rounds automatically. password_hash() is a simple crypt() wrapper and compatible with existing password hashes. Use of password_hash() is encouraged.* Can't quite tell if it'll solve your problem but compatible with existing hashes sounds promising. – Joachim Isaksson Mar 17 '16 at 09:25
  • I ended up using `password_verify` that actually is similar to `password_hash` but just return true or false. Then after I reconvert the hash to the new format. – lgomezma Mar 17 '16 at 09:35

2 Answers2

2

For the people that have the same problem, I solved it using password_verify that actually underneath uses password_hashwhich supports existing password hashes as Joachim suggested.

lgomezma
  • 1,597
  • 2
  • 15
  • 30
0

Just one thing you need to have in your mind, password_verify has a specific time to run. If your use is for password, it's highly recommended.

Marcelo Busana
  • 29
  • 1
  • 5