What is the difference between using password_default and password_bcrypt?

5

Searching for hash, I noticed that the second parameter of the password_hash function has two options, PASSWORD_DEFAULT and PASSWORD_BCRYPT ,

  • Exactly which of the two should I give preference to use?

It should probably be PASSWORD_DEFAULT ? Well in the documentation, both are explained and said that:

  

PASSWORD DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP . For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database that can expand beyond 60 characters (255 characters would be a good choice).

     

PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt () compatible hash using the "$ 2y $" identifier. The result will always be a 60 character string, or FALSE on failure.

So with this quote you can assume that Bcrypt and Crypt_Blowfish are different patterns, exactly

  • What would be the difference between them?
asked by anonymous 04.04.2017 / 15:40

2 answers

6

There is no difference right now.

The difference is that PASSWORD_DEFAULT is set to change when new algorithms are added, however at this time ( now latest version is PHP 7.1 for reference ) PHP only supports BCrypt.

In the PHP 7.2 is to come Argon2 , if this is actually done there may be options, for example: / p>

PASSWORD_BCRYPT 
PASSWORD_ARGON2I

This way PASSWORD_DEFAULT can change in PHP 7.3 from PASSWORD_BCRYPT to PASSWORD_ARGON2I , this is the purpose of it, so it is advised that it can change according to the time.

But at this time there is no difference between PASSWORD DEFAULT and PASSWORD_BCRYPT .

PASSWORD_DEFAULT update policies

  • Any new algorithm should be available for at least one full PHP version (full release) to become PASSWORD_DEFAULT . If SCrypt is added in PHP 5.5.5, it can not be DEFAULT until PHP 5.7, because PHP 5.6 is the only "full release". If JCrypt is added in PHP 5.6.0 it can become standard in PHP 5.7.

  • The PASSWORD_DEFAULT can only be changed in a "full version" (full release, 5.5, 5.6, 7.0 ...) and can not be modified in revision versions (5.5.1, 5.6.1. ..) unless it is an emergency, such as in the case of a serious security vulnerability found in the DEFAULT used.

04.04.2017 / 16:26
1

As described in the manual, it is recommended to use PASSWORD_DEFAULT .

The description informs that currently PASSWORD_DEFAULT uses PASSWORD_BCRYPT , which would be the strongest algorithm available in PHP for creating password hashes.

In turn, PASSWORD_BCRYPT uses CRYPT_BLOWFISH . That is, as described:

  

This will produce a standard crypt () compatible hash using the "$ 2y $" identifier.

It is important to note that, password_hash() is nothing more than a wrapper of crypt() with a salt automatic generator, a limited and compatible number of hash's for password, or as described in crypt ():

  

password_hash () is a simple crypt () wrapper and compatible with existing password hashes

The difference between using password_hash() and only crypt() is for the salt's that are automatically created by the password_hash() function. As described in the following excerpts:

  

password_hash () uses a strong hash, generates strong salt, and applies proper rounds automatically.

E:

  

salt - to manually provide a salt to use when hashing the password. Note that this will override and prevent a salt from being automatically generated.

In case of crypt() , if salt is not informed, it will not use salt and will create a "weak hash", which can be broken more easily that one with a salt :

  

The salt parameter is optional. However, crypt () creates a weak hash without the salt. PHP 5.6 or later raise an E_NOTICE error without it. Make sure to specify a strong enough salt for better security.

Since the description in PASSWORD_DEFAULT , is that in some future (next or not) a stronger algorithm than CRYPT_BLOWFISH can be created and it becomes the default for the new passwords , making CRYPT_BLOWFISH obsolete. Therefore, it is recommended that the password fields be at least 255. Currently, PASSWORD_BCRYPT will generate a hash of 60 characters, and in the meantime, a new one may be larger.

    
04.04.2017 / 16:29