password_hash or crypt, which brings more security?

Question

password_hash or crypt, which brings more security?

Asked 8 years, 6 months ago

Viewed 735 times

2

I don’t know much about hash and security, I found two functional functions and I couldn’t figure out what the difference would be between them and therefore which is the safest one to save and capture passwords.

My question is which one should I use, password_hash or crypt? I know that the password_hash uses internally the crypt, That makes it more complete and safe?

Examples:

crypt:

$hash = crypt($pass); //criptografa
if(crypt($pass, $hash) == $hash) //verifica a senha

password_hash

$options = [
    'cost' => 11,
    'salt' => mcrypt_create_iv(50, MCRYPT_DEV_URANDOM),
];

$hash = password_hash($pass, PASSWORD_BCRYPT, $options); //criptografa
if (password_verify($pass, $hash)) //verifica senha

1

Related: How to hash passwords securely?

– Guilherme Nascimento

2015/12/28 at 00:49

1 answer

Browser other questions tagged php hash

You are not signed in. Login or sign up in order to post.

by Edilson • **5,207** points · Answer 1 · 2015-12-27T23:41:38+00:00

The simplest way to explain the existing difference is to say that both have different patterns, and one allows more algorithms than the other, which sometimes vary according to the system in use, this for the crypt.

The method crypt uses salt as an optional parameter in smaller versions of PHP which results in weaker passwords, and in newer versions of PHP returns a E_NOTICE if you are not provided with a salt. The method crypt uses the algorithm DES as standard, or even the MD5 depending on the system in use, and also supports various encryption algorithms.

With the method password_hash, only one algorithm, which is the bcrypt, or the pattern if we want that when a new, more secure algorithm than the previous one is put into operation we can also use it.

In recent versions of PHP it is recommended not to create Salts manually, unless it’s really necessary, because the function password_hash already creates sufficiently safe Salts.

The method password_hash is basically a derivative of the method crypt, both methods being compatible.

The crypt was loosely used by many users prior to the arrival of password_hash with the PHP >= 5.5.0 that allowed users to focus the creation of the hash on a specific algorithm tested, even today many people use the crypt instead of the password_hash.

None is less secure than others, differ only in the way they are employed.