English
English
When dealing with password encryption in PHP, crypt() and password_hash() can be used to generate the hash value of the password, but there are obvious differences between these two functions. When selecting encryption functions, understanding their respective principles and advantages is crucial to ensuring the security of the application.
crypt() is a long-standing encryption function that can be traced back to Unix systems. It supports a variety of encryption algorithms (such as DES, MD5, SHA-256, SHA-512), depending on the salt value you provide and the algorithms supported by the system.
$password = 'mySecretPassword';
$salt = '$6$rounds=5000$anexamplesaltstring$'; // use SHA-512
$hash = crypt($password, $salt);
The generated $hash will select the encryption algorithm based on the provided salt format. In this example, SHA-512 is used.
password_hash() is a modern password hash function introduced since PHP 5.5. It uses the bcrypt algorithm by default and also supports argon2i and argon2id in newer versions (after PHP 7.2). It is designed for password hashing and automatically manages salt values and cost factors, greatly simplifying secure coding efforts.
$password = 'mySecretPassword';
$hash = password_hash($password, PASSWORD_DEFAULT); // 默认use bcrypt
The generated $hash is a string containing algorithm information, cost and salt, without the need for manual settings by the developer.
| characteristic | crypt() | password_hash() |
|---|---|---|
| Salt value management | Need to manually set up by the developer | Automatically generated |
| algorithm | Various, need to be specified | Default bcrypt , supports argon2 |
| Security | Depends on implementation and configuration | Security by default, following best practices |
| Ease of use | Complex, error-prone | Simple, easy to use |
| Recommended degree | Not recommended for new projects | Highly recommended |
The algorithm used by password_hash() is designed for hashing passwords (such as bcrypt and argon2 ) and can resist modern password cracking technologies such as GPU accelerated attacks.
Using the PASSWORD_DEFAULT constant, PHP can automatically switch to a safer algorithm without changing the code. For example:
$hash = password_hash($password, PASSWORD_DEFAULT);
With the update of PHP, PASSWORD_DEFAULT will automatically adopt stronger algorithms, such as switching from bcrypt to argon2id .
Because password_hash() automatically handles salt values and cost factors, it greatly reduces security issues caused by human setup errors.
If you are building a user authentication system, for example, the following form of registration processing scripts:
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$password = $_POST['password'];
$hash = password_hash($password, PASSWORD_DEFAULT);
// Save to database
$conn = new PDO('mysql:host=localhost;dbname=example', 'user', 'pass');
$stmt = $conn->prepare('INSERT INTO users (username, password) VALUES (?, ?)');
$stmt->execute([$_POST['username'], $hash]);
header('Location: https://m66.net/login-success');
}
In this case, using password_hash() is significantly safer and more modern, and can maintain the security and maintainability of the system for a long time.
Although crypt() is still usable, password_hash() is a more suitable choice from the perspective of security, ease of use and future maintainability. Especially in scenarios where user passwords are processed, password_hash() should be used with password_verify() to verify user input and build a safer PHP application.
