More secure password hashing in PHP 5.5

September 12, 2012 | 1 comment

The most recent set of PHP releases suggest that the core development team are serious about keeping PHP at the forefront of web development technology, and addressing some of its legacy criticisms. I’ve previously talked about the JsonSerializable interface; now, PHP 5.5 is introducing an easier way to make password hashing more secure.

(What is password hashing, and why is it important for protecting your users’ privacy? Here’s a great introduction.)

Here’s the RFC, which was recently accepted. The idea is that too many people are using a naïve salting mechanism plus weak hash algorithm to store their passwords:

$hash = md5($password . $salt);

This is subject to attack on a bunch of different levels. bcrypt is the generally-accepted algorithm for hashing passwords, but the truth is, new attacks emerge all the time, and the standard is going to be a constantly moving target.

The new PHP passwords API will abstract that away. All you’ll do is get a hash like this:

$hash = password_hash($password);

To verify a password, you can simply use:

if (password_verify($password, $hash)) { /* Yay */ } else { /* Uh oh */ }

Salts and algorithms will be taken care of behind the scenes. Should you ever need to re-hash the password, at a point where you have the plain-text password, the password_needs_rehash($hash) function will let you know:

if (password_needs_rehash($hash)) {
    $hash = password_hash($password);
    // update hash in database

If you don’t want to have the salts managed transparently for you, and want to set a higher computational cost on the hash algorithm than the default 10, you can specify them in the function options:

password_hash($password, PASSWORD_DEFAULT, array("cost" => 14, "salt" => $salt));

There’s a compatible PHP shim for coders who won’t be using PHP 5.5 for a while yet.

I’m pretty excited about these additions to the PHP APIs. I’m also looking forward to checking out Ratchet, a way to develop real-time applications using WebSockets in PHP – something that removes a long-standing hole in the PHP functionality stack.

Meanwhile, I’m still experimenting with more development-related posts. Again, please let me know if this was useful!