3

Possible Duplicate:
How do you use bcrypt for hashing passwords in PHP?

I am developing an API using PHP. My previous version of the API which I want to migrate from was build using Rails 3.

I have only one problem. The stored passwords for the users was encrypted with the below technique.

BCrypt::Engine.hash_secret(password, user.password_salt);

How can I do the same in PHP (Codeigniter) so that the users can continue using their old passwords?

Thankful for all help!

Community
  • 1
  • 1
Jonathan Clark
  • 19,726
  • 29
  • 111
  • 175

2 Answers2

1

I think you can use the crypt function with the blowfish algorithm: http://php.net/manual/en/function.crypt.php

Another option is to use mcrypt: http://www.php.net/manual/en/ref.mcrypt.php

Edit: example

Here's what I would do:

$hashedPassword = crypt('password', '$2a$11$abcd');

Use crypt like this:

hash = crypt(password, salt);

$hashedPassword should now contain the hash.

Basically in order to use the blow fish alogrithm, the salt needs to be in this format: $2a$[2 digit cost parameter]$[22 digit alphanumeric string]

To determine if you have blowfish on yours server:

if (CRYPT_BLOWFISH == 1) {
    echo 'Blowfish:     ' . crypt('rasmuslerdorf', '$2a$07$usesomesillystringforsalt$') . "\n";
}
F21
  • 32,163
  • 26
  • 99
  • 170
  • Ok sounds interesting. Unfortunately it seems to complicated that I am not sure how to "copy" the Bcrypt technique. Is it possible that you can help med "convert" the above to mcrypt? – Jonathan Clark Aug 14 '11 at 10:22
  • Turns out it works perfectly on my localmachine but on the server the hash that is returned from crypt is different. How come? – Jonathan Clark Aug 14 '11 at 17:47
  • I think it is a possibility that the blowfish algorithm is not avaliable on your server. If you are using PHP 5.3 and above, then the blowfish algorithm to be avaliable. Otherwise, I have edited my post to determine if blowfish is avaliable. – F21 Aug 14 '11 at 23:35
1

I'm not sure how it's done but take a look at the source for Tank Auth, it uses bcrypt. I think it's smart enough to use the built in library if it's present on the system and falls back to an included version if necessary.

Matt
  • 9,068
  • 12
  • 64
  • 84