My take on bcrypt, adapted1 from phpass, since I learned last week that salted SHA-1 hashes aren’t secure enough anymore for password validation.
I’d love to get input from any security experts out there on whether this approach — essentially, only the
CRYPT_BLOWFISH part of phpass — is sufficiently secure before I deploy it.
You might be wondering why I didn’t just use phpass. Most of its code is only necessary for legacy versions of PHP prior to 5.3, and I’d rather not have more code (and more potential vulnerabilities or shortcomings) than I need. I also wanted to modernize the code for PHP 5’s (and my own) conventions. ↩︎