PHP's password_hash function is a wrapper for the crypt function?

0

The password_hash function looks like a wrapper that adds a high-level layer to the crypt function, since it has a default setting that could be done with crypt manually.

The same thing happens with the password_verify function, which seems equivalent to this:

function password_verify($password, $passwordHash)
{
     return (crypt($password, $passwordHash) === $passwordHash);
}

I'm curious as to whether wrappers are added to crypt in the latest version of PHP.

OBS: I know the above code is insecure because it is vulnerable to timming attack, but it is just a way to try to illustrate the idea. The point is whether it's a wrapper or not. Therefore, security is not the focus of this question.

Thanks in advance.

    
asked by anonymous 01.07.2018 / 17:21

1 answer

2

This code is insecure, because it uses === .

password_hash also supports Argon2 in the latest PHP versions, which is not supported by crypt. The crypt also varies from platform to platform, and not all algorithms may be available, even BCrypt may not exist.

The crypt function also requires a salt, which must be unique. In password_hash this is generated internally in the function.

However, yes, it is a wrapper. This is mentioned in documentation :

  

"password_hash () is a simple crypt () wrapper and compatible with existing password hashes"

    
01.07.2018 / 17:29