Encrypting Passwords in PHP

PHPServer Side ProgrammingProgramming

Due to the fact that Blowfish has vulnerabilities before PHP version 5.3.7, it would be suggested to use SHA-256 or SHA-512 instead. Both of them have a similar salt format similar to that of Blowfish (use a prefix of $5$ for SHA-256 and $6$ for SHA-512). In addition to this, it also contains an optional rounds parameter to force multiple hashing.

The salt on its own is a little shorter at only 16 characters but unlike Blowfish, it allows more than just alphanumeric characters.


 Live Demo

echo 'SHA-256 (no rounds): ' . crypt('password-to-encrypt', '$5$YourSaltyStringz$');
echo 'SHA-512 (with rounds): ' . crypt('password-to-encrypt', '$6$rounds=1000$YourSaltyStringz$');


This will produce the following output −

SHA-256 (no rounds): $5$YourSaltyStringz$td0INaoVoMPD4kieVrkGE67siKj3N8.HSff8ep0Ybs8SHA-512 (with rounds): $6$rounds=1000$YourSaltyStringz$A5UHscsEbSnPnaV6PmSF5T/MQK.Wc3klA.18c.gXG5pD0PVYSVr/7xwRu1XJyn8XpiMDNRTvpJm5S8DkmSywz1

Similar to Blowfish, the resulting hashes will contain the salt as part of the resultant hash.

Published on 07-Apr-2020 15:29:17