Tuesday, April 17, 2012

PHP Password Library

When I wrote my first Web application that required a user to log in, I stored the user's password in my database using a simple MD5 hash. It worked well, and I wasn't storing my passwords in plain text. Eventually I learned about rainbow tables, and suddenly using MD5 or SHA1 didn't seem like such a good idea. Even salted hashes using these functions are no match for tools like hashcat on modern hardware.

I've used a number of password hashing techniques over the years, and I even used Openwall's portable hashing library for a little while. While the library is certainly easy to work with, I didn't like that it was a monolithic class written for PHP 4 and offered very little control over the process. At this point, I was used to working with the modular components of Zend Framework. So, I did what most any other developer with some extra cycles to burn would do: I wrote my own password hashing library for PHP 5.

The library is modular and extensible. The current version is capable of creating password hashes using several widely recognized and recommended methods including bcrypt and PBKDF2. It also includes adapters for calculating password strength based on popular algorithms such as the one recommended by NIST.

So check out my PHP Password Library, and feel free to report any issues or feedback on the GitHub project page.