PHP 5.3.3的密码保护？

Question

I'm doing an assignment for uni and I've been following guides as far as finding a way to hash a registered password onto the mysqli database but it seem's the university's myphp is only on 5.3.3 and MySQL 5.1.73.

What can I use to hash it instead of using 5.5's password_hash() function? Don't suppose there's a handy tutorial out there for it?

Many thanks!

Answer 1

Your best answer:

Have them upgrade to PHP 5.5 or higher and use password_hash() with a high work factor.

Point them to Thomas Pornin's canonical Security.stackexchange answer to How to securely hash passwords? to let him help argue the case for good password security.

Your next best answer:

Have them upgrade to PHP 5.3.7 or higher and use the password_hash() compatibility pack

See above.

Your not as good answer:

You can use crypt on your current PHP 5.3.3 version reasonably IF you change some of the options:

crypt('password', '$6$rounds=150000$PerUserCryptoRandomSalt$')

• $6 - use SHA-512, which has 64-bit operations that reduce the margin of advantage most GPU based attackers have over you as of early 2016.

• $rounds=150000 - set the number of iterations to hundreds of thousands or high tens of thousands of rounds.

• PerUserCryptoRandomSalt - unlike password_hash, you have to do this yourself. You need to generate a unique, cryptographically random salt of 12-24 binary bytes (16 is very reasonable)

  • Note that it's part of the result string, in cleartext, which is correct.

  • That's binary bytes! The size in the crypt() function gets doubled if you convert to hex, or increased by 4/3rds if you Base64 it

To compare, you get the user's salt and number of rounds, and use crypt with those on the candidate password entered. If you get the same answer, it's the same password.