1

After reading many articles and docs regarding password handling, it's more than obvious that among best practices:

  • I should not create custom encryption.
  • I should use low level functionality in PHP in order to make sure (to the extent possible) that I will be able to adapt in the future if needed.

I started using PHP crypt() function when I saw phpass Now I am halfway through in implementing a user model in my PHP app (using codeigniter) and I stopped in order to think:

How I should design my code in order to be able to adapt and keep it working for many years to come? Is phpass in php spl library? Does this mean that support is ensured?

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
e4rthdog
  • 5,103
  • 4
  • 40
  • 89
  • 1
    The next PHP standard is [`password_hash()`](http://php.net/manual/en/function.password-hash.php). I will certainly use it in future versions of my framework, but in the mean time, I would stick to standard algorithms based on php `crypt()`. – Tchoupi Apr 07 '13 at 15:02
  • @MathieuImbert: ok and when lets say i would like to switch to new logic like password_hash() what would i have to do to convert my existing user db? – e4rthdog Apr 07 '13 at 15:06
  • Create a new password field, with the new format. And when a use logs in, validate his password against the old hash, hash it using the new algorithm, store the new hash and delete the old one. Shut down the old algorithm after a decent amount of time. – Tchoupi Apr 07 '13 at 15:12
  • i see ..thanks...you could write your comments as an answer if you want.. – e4rthdog Apr 07 '13 at 15:15
  • @MathieuImbert: Would you prefer using password_hash() fro now with this? https://github.com/ircmaxell/password_compat – e4rthdog Apr 07 '13 at 15:48
  • 1
    @e4rthdog Interesting library. However, always be paranoiac when using external libraries for that matter. Read the source code, research that it is well implemented. – Tchoupi Apr 07 '13 at 17:31

0 Answers0