What’s the difference between using password_default and password_bcrypt?

Asked

Viewed 1,238 times

5

Searching on hash, I noticed that the second function parameter password_hash, has two options, PASSWORD_DEFAULT and PASSWORD_BCRYPT,

  • Exactly which of the two I should give preference to use?

It’s probably the PASSWORD_DEFAULT? For in the documentation, it is explained both and said that:

DEFAULT PASSWORD - Use the bcrypt Algorithm (default as of PHP 5.5.0). Note that this Constant is Designed to change over time as new and Stronger Algorithms are Added to PHP. For that Reason, the length of the result from using this Identifier can change over time. Therefore, it is Recommended to store the result in a database column that can expand Beyond 60 characters (255 characters would be a good Choice).

PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH Algorithm to create the hash. This will Produce a standard crypt() compatible hash using the "$2y$" Identifier. The result will Always be a 60 Character string, or FALSE in case of failure.

So with this quote it can be assumed that Bcrypt and Crypt_Blowfish are different patterns, exactly

  • What would be the difference between them?

2 answers

6


Right now there’s no difference.

The difference is that the PASSWORD_DEFAULT was designated to change when new algorithms are added, but at this time (now latest version is PHP 7.1 for reference) PHP only supports Bcrypt.

In the PHP 7.2 is to come the Argon2, if this is actually done there may be options, for example:

PASSWORD_BCRYPT 
PASSWORD_ARGON2I

Thus the PASSWORD_DEFAULT can change in PHP 7.3 PASSWORD_BCRYPT for PASSWORD_ARGON2I, this is his purpose, so he is warned that he can change according to time.

But right now there’s no difference between PASSWORD DEFAULT and the PASSWORD_BCRYPT .


PASWORD_DEFAULT update policies

  • Any new algorithm must be available for at least a full version of PHP (full release) to become PASSWORD_DEFAULT. If Scrypt is added in PHP 5.5.5, it cannot be DEFAULT until PHP 5.7, because PHP 5.6 is the only "full release". If Jcrypt is added in PHP 5.6.0 it can become standard in PHP 5.7.

  • The PASSWORD_DEFAULT can only be changed in a "full version" (full release, 5.5, 5.6, 7.0...) and cannot be modified in the revision versions (5.5.1, 5.6.1...) unless it is an emergency, as in the case of a severe security vulnerability is found in the DEFAULT used.

1

As described in the manual, it is recommended to use PASSWORD_DEFAULT.

The description informs that currently, PASSWORD_DEFAULT uses PASSWORD_BCRYPT, which would be the strongest algorithm available in PHP for creating password hashs.

In turn, the PASSWORD_BCRYPT uses CRYPT_BLOWFISH. That is, as described:

This will Produce a standard crypt() compatible hash using the "$2y$" Identifier.

It is important to note that, password_hash() is nothing more than a wrapper of crypt() with an automatic generator of salt, a limited and compatible hash amount for password, or as described in crypt():

password_hash() is a simple crypt() wrapper and compatible with existing password hashes

The difference between using password_hash() and only crypt() stands by salt’s which are created automatically by the function password_hash(). As described in the following sections:

password_hash() uses a Strong hash, generates a Strong salt, and applies Proper rounds Automatically.

And:

salt - to Manually provide a salt to use when hashing the password. Note that this will override and Prevent a salt from being Automatically generated.

In the case of crypt(), if the salt not be informed, he will not use salt some and will create a weak "hash", which can be broken more easily than one with a salt:

The salt Parameter is optional. However, crypt() creates a Weak hash without the salt. PHP 5.6 or later raise an E_NOTICE error without it. Make sure to specify a Strong enough salt for Better security.

Already the description in PASSWORD_DEFAULT, is the fact that in some future (near or not) a stronger algorithm can be created that CRYPT_BLOWFISH and it become the standard for the new passwords, making the CRYPT_BLOWFISH obsolete. Therefore, it is recommended that the password fields have the size of at least 255. As currently the PASSWORD_BCRYPT will generate a 60-character hash and, however, a new one may eventually be larger.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.