Is the PHP password_hash function a wrapper for the crypt function?

Asked

Viewed 85 times

0

The function password_hash seems to me a wrapper that adds a high-level layer in function crypt, because it brings a default setting that could be made with crypt manually.

Same with the function password_verify, which seems equivalent to this:

function password_verify($password, $passwordHash)
{
     return (crypt($password, $passwordHash) === $passwordHash);
}

I have this curiosity to know if they are Wrappers added to crypt in the latest version of PHP.

OBS: I know that the above code is insecure as it is vulnerable to timming Attack, but it is just a way to try to illustrate the idea. The point is to know if it’s a wrapper or not. Therefore, security is not the focus of this question.

From now on, thank you.

php function security-guard characteristic-language password

1 answer

2


This code is unsafe, to use ===.

The password_hash also supports Argon2, in the latest versions of PHP, which is not supported by crypt. The crypt also varies from platform to platform, and not all algorithms may be available, including Bcrypt.

The crypt function also requires a salt, which must be unique. In password_hash this is generated internally in the function.

However, yes, it is a wrapper. This is mentioned in documentation:

"password_hash() is a simple crypt() wrapper and compatible with existing password hashes"

Browser other questions tagged php function security-guard characteristic-language password

You are not signed in. Login or sign up in order to post.