>Unlabelled > Portable PHP Password Hashing Framework

Portable PHP Password Hashing Framework

Posted on 10 Januari 2010 by c0decstuff

This is a portable public domain password hashing framework for use in PHP applications. It is meant to work with PHP 3 and above, and it has actually been tested with at least PHP 3.0.18 through 5.3.0 so far.
The preferred (most secure) hashing method supported by phpass is the OpenBSD-style Blowfish-based bcrypt, also supported with our public domain crypt_blowfish package (for C applications), and known in PHP as CRYPT_BLOWFISH, with a fallback to BSDI-style extended DES-based hashes, known in PHP as CRYPT_EXT_DES, and a last resort fallback to MD5-based salted and variable iteration count password hashes implemented in phpass itself (also referred to as portable hashes).
To ensure that the fallbacks will never occur, PHP 5.3.0+ or the Suhosin patch may be used. PHP 5.3.0+ and Suhosin integrate crypt_blowfish into the PHP interpreter such that bcrypt is available for use by PHP scripts even if the host system lacks support for it.
Included in the package are a PHP source file implementing the PasswordHash PHP class, a tiny PHP application demonstrating the use of the PasswordHash class, and a C reimplementation of the portable hashes (used for testing correctness of the primary implementation only).
Download:

These and other related files are also available via FTP.
Follow this link for information on verifying the signatures.
We may help you integrate phpass into your applications, please check out our services.

The Authen::Passphrase::PHPass Perl module reimplements the support for portable hashes introduced in phpass, but in Perl.
A cut-down version of phpass (supporting the portable hashes only) has been integrated into phpBB3 (although they have changed the hash type identifier string from "$P$" to "$H$", the hashes are otherwise compatible with those of genuine phpass).
phpass has been integrated into WordPress 2.5+ (more info), as well as bbPress.
A cut-down and reworked version of phpass (supporting the portable hashes only and requiring PHP 5+) has been integrated into development versions of Drupal leading to the upcoming Drupal 7 release (CVS commit 1, commit 2) after a lengthy discussion and many proposed patches against various development versions of Drupal. There's a notion of upgraded hashes - these are phpass portable hashes of md5() hashes (which were used by older versions of Drupal), with the final hash encodings prefixed with a "U" (for "upgraded").
There's also a module for Drupal 5 & 6 that makes the original phpass available with those versions of Drupal, including support for the more secure but not nearly as portable CRYPT_BLOWFISH and CRYPT_EXT_DES hashes.
Finally, there's an extension for the TYPO3 CMS that integrates support for phpass portable hashes into TYPO3 (using Drupal-derived phpass code).
The development of phpass and efforts on getting it into Drupal are partially supported by CivicActions, a Drupal consulting company.
Support further work on this software with donations.

4 Responses to “c0decstuff”

What's on Your Mind...

Thank f' u C0mment