English
English
When doing password hashing and verification in PHP, crypt() and password_verify() are two frequently mentioned functions. Although they all involve password-security processing, they are used differently and designed for different purposes. Therefore, developers may ask:
crypt() is a function used in PHP to encrypt passwords in the early days. It supports a variety of algorithms, such as:
DES (default)
MD5 (starting with $1$ )
Blowfish (start with $2a$ , $2y$ , etc.)
SHA-256, SHA-512 (starting with $5$ , $6$ )
A typical crypt() usage is as follows:
$password = 'mySecret';
$salt = '$2y$10$' . substr(strtr(base64_encode(random_bytes(16)), '+', '.'), 0, 22);
$hash = crypt($password, $salt);
password_verify() is a function introduced in PHP 5.5 and is designed specifically for validating hashes generated using password_hash() . It automatically identifies the algorithm used by hashing (such as Bcrypt, Argon2) and compares it according to the entered plaintext password.
if (password_verify('mySecret', $hashFromDatabase)) {
echo 'Correct password';
}
Short answer: Not recommended, and it doesn't make sense.
Although password_verify() is indeed calling the underlying mechanism similar to crypt() , it only supports the hash format generated by its "household" function password_hash() . If you use crypt() to customize the hash and then use password_verify() to verify, the following problems will occur:
If the hash format does not meet password_verify() expectations, it will return false;
PHP does not guarantee support for non-standard format hashes generated by crypt() in future versions;
password_verify() may not be parsed at all for the hash of the wrong format, resulting in the verification always failing.
In other words, although the two are related, they are not functional pairs designed to be interoperable.
Manually manage salt values and algorithm selection, which is prone to errors;
If used improperly (such as using the default DES algorithm or weak salt value), you are prone to brute-force cracking;
There is no mechanism for automatic update algorithm;
Future compatibility cannot be guaranteed.
Automatically select security default algorithms (such as Bcrypt);
Automatically generate salt values;
The algorithm is well encapsulated, and developers do not need to care about the underlying implementation;
The smoothing algorithm can be upgraded through password_needs_rehash() ;
Safety is reviewed by modern standards.
For better security and future compatibility, it is recommended to always use password_hash() with password_verify() :
// When registering or modifying password
$hash = password_hash('mySecret', PASSWORD_DEFAULT);
// Verify at login
if (password_verify('mySecret', $hash)) {
// Verification is successful
}
If you use crypt() in your old system, it is recommended to use password_hash() to regenerate the hash after the user login is successful and update the value in the database. This approach can gradually smoothly transition to a more secure encryption method.
Although crypt() is a veteran in PHP, it has gradually been replaced by the more modern and secure password_hash() and password_verify() in the field of password processing. Using crypt() and password_verify() in combination will not bring the expected security improvement, but may cause verification failure and other problems due to incompatibility. Therefore, the best practice is to fully adopt the password_series function provided by PHP to handle user password * to ensure the security and maintainability of the system.
For further security measures, you can use the Argon2 algorithm in combination:
