The accepted best practice in PHP passwords, as of PHP 5.5, is password_hash
. It presents a single, unified, built-in, future-compatible way to generate a secure password hash.
If you are using a security-updated version of 5.3.x or higher, you can use the password_compat library instead.
Under the covers, the current version makes calls to crypt
with some predefined security options. Future versions may change the default options.
Please be sure to carefully read the section on the crypt
page that talks about CRYPT_BLOWFISH
versioning, as well as review the versioning notes on the password_compat page.
As noted clearly in the warning message, PBKDF2 is accepted by the NIST as an adequate way to store passwords. You can use implementations of it without significant concern, but you should only do so if you either need support for PHP versions prior to 5.3, or need to support PHP versions that have a broken CRYPT_BLOWFISH
.