blowfish

I have read the information provided on the PHP Manual Entry for crypt() , but I find myself still unsure of the format for a salt to trigger the Blowfish algorithm. According manual entry, I should use '$2$' or '$2a$' as the start of a 16 character string. However, in the example given later, they use a much longer string: ' $2a$07$usesomesillystringforsalt$ ', which indicates to me that whatever string I provide will be sliced and diced to fit the model. The problem I am encountering is actually triggering the Blowfish algo vs STD_DES . Example: $foo = 'foo'; $salt = '$2a$' . hash('whirlpool

I am having a bit little bit of trouble understanding php's crypt function. My PHP version is 5.4.7. I want to use crypt to store salted passwords in the database, because as far as I am told, developers who use md5 to hash passwords are to be staked and burned on the spot. I wanted to use the blowfish alg to generate the hash. Now, according to the php documentation, crypt uses blowfish if you call it with "$2y$" + cost (for instance: "08") + "$" + 22 characters salt ( ./0-9A-Za-z ). However, the output of this little bit of test code is confusing me: echo "<pre>"; if (CRYPT_BLOWFISH == 1) {

The last week I read a lot articles about password hashing and Blowfish seems to be (one of) the best hashing algorithm right now - but that's not the topic of this question! The 72 character limit Blowfish only consider the first 72 characters in the entered password: <?php $password = "Wow. This is a super secret and super, super long password. Let's add some special ch4r4ct3rs a#d everything is fine :)"; $hash = password_hash($password, PASSWORD_BCRYPT); var_dump($password); $input = substr($password, 0, 72); var_dump($input); var_dump(password_verify($input, $hash)); ?> The output is:

This question has to do with PHP's implementation of crypt() . For this question, the first 7 characters of the salt are not counted, so a salt ' $2a$07$a ' would be said to have a length of 1, as it is only 1 character of salt and seven characters of meta-data. When using salt strings longer than 22 characters, there is no change in the hash generated (i.e., truncation), and when using strings shorter than 21 characters the salt will automatically be padded (with ' $ ' characters, apparently); this is fairly straightforward. However, if given a salt 20 characters and a salt 21 characters,

Does anyone have pros and cons together for comparing these encryption algorithms ? Use AES. In more details: DES is the old "data encryption standard" from the seventies. Its key size is too short for proper security (56 effective bits; this can be brute-forced, as has been demonstrated more than ten years ago ). Also, DES uses 64-bit blocks, which raises some potential issues when encrypting several gigabytes of data with the same key (a gigabyte is not that big nowadays). 3DES is a trick to reuse DES implementations, by cascading three instances of DES (with distinct keys). 3DES is believed