function password_encrypt($password) { $hash_format = "$2y$10$"; // Tells PHP to use Blowfish with a "cost" of 10 $salt_length = 22; // Blowfish salts should be 22-characters or more $salt = generate_salt($salt_length); $format_and_salt = $hash_format . $salt; $hash = crypt($password, $format_and_salt); return $hash; } function generate_salt($length) { // Not 100% unique, not 100% random, but good enough for a salt // MD5 returns 32 characters $unique_random_string = md5(uniqid(mt_rand(), true)); // Valid characters for a salt are [a-zA-Z0-9./] $base64_string = base64_encode($unique_random_string); // But not '+' which is valid in base64 encoding $modified_base64_string = str_replace('+', '.', $base64_string); // Truncate string to the correct length $salt = substr($modified_base64_string, 0, $length); return $salt; } Do you guys thnk this is secure? What could have been done differently? What's maybe easier to use to secure a password and hash it?
password_hash()andpassword_verify()does the trick and are easy to use and very secure, compared to what you just did.<?php $password = "YourStrongPassword"; $hash = password_hash($password,PASSWORD_DEFAULT); //hashing the password. $pass2 = $password; //this could be from a userinput // verifying the hash. if(password_verify($pass2,$hash)){ echo "passwords match"; }else{ echo "passwords does not match"; } ?>