password_hash or crypt, which brings more security?

1

I do not know much about hash and security, I found two functional functions and I did not know what the difference would be between them and consequently which is the safest way to save and capture passwords.

My question is which one should I use, password_hash or crypt ? I know that password_hash internally uses crypt , does this make it more complete and secure?

  

Examples:

crypt:

$hash = crypt($pass); //criptografa
if(crypt($pass, $hash) == $hash) //verifica a senha

password_hash

$options = [
    'cost' => 11,
    'salt' => mcrypt_create_iv(50, MCRYPT_DEV_URANDOM),
];

$hash = password_hash($pass, PASSWORD_BCRYPT, $options); //criptografa
if (password_verify($pass, $hash)) //verifica senha
    
asked by anonymous 27.12.2015 / 23:39

1 answer

3

The simplest way to explain the existing difference is to say that both have different patterns, and one allows more algorithms than another, which sometimes may vary depending on the system in use, this for crypt .

The crypt method uses salt as an optional parameter in smaller versions of PHP which results in weaker passwords, and newer versions of PHP returns an E_NOTICE if you do not get a salt. The crypt method uses the DES algorithm as the default, or even MD5 , depending on the system in use, and also supports various encryption algorithms.

With the password_hash method, you can only use an algorithm, which is bcrypt , or the default if you want to use a new algorithm that is safer than the previous one.

In recent versions of PHP it is recommended not to create salts manually, unless it is really necessary, since the password_hash function already creates sufficiently safe salts.

The password_hash method is basically a derivative of the crypt method, both methods being compatible.

crypt was loosely used by many users before the arrival of password_hash with PHP >= 5.5.0 that allowed users to focus on hashing in a specific algorithm tested, even today many people use crypt in instead of password_hash .

No one is less secure than another, they differ only in the way they are employed.

    
28.12.2015 / 00:41