Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers

Portable PHP password hashing framework

Please note that password hashing is often wrongly referred to as "password encryption". Hashing is a more appropriate term since encryption is something that is supposed to be easily reversible.

phpass (pronounced "pH pass") is a portable public domain password hashing framework for use in PHP applications. It is meant to work with PHP 3 and above, and it has actually been tested with at least PHP 3.0.18 through 5.4.x so far. (PHP 3 support is likely to be dropped in next revision.)

The preferred (most secure) hashing method supported by phpass is the OpenBSD-style Blowfish-based bcrypt, also supported with our public domain crypt_blowfish package (for C applications), and known in PHP as CRYPT_BLOWFISH, with a fallback to BSDI-style extended DES-based hashes, known in PHP as CRYPT_EXT_DES, and a last resort fallback to MD5-based salted and variable iteration count password hashes implemented in phpass itself (also referred to as portable hashes).

To ensure that the fallbacks will never occur, PHP 5.3.0+ or the Suhosin patch may be used. PHP 5.3.0+ and Suhosin integrate crypt_blowfish into the PHP interpreter such that bcrypt is available for use by PHP scripts even if the host system lacks support for it.

Included in the package are a PHP source file implementing the PasswordHash PHP class, a tiny PHP application demonstrating the use of the PasswordHash class, and a C reimplementation of the portable hashes (used for testing correctness of the primary implementation only).

There's a lengthy article/tutorial on introducing password hashing with phpass into a PHP application, as well as on other aspects of managing users and passwords. This article along with sample programs referenced from it is also available for download below. Some of you might prefer this much shorter third-party article focusing solely on introducing phpass into a PHP application. Finally, also relevant is our presentation on the history of password security.


These and other related files are also available from the Openwall file archive. The source code of phpass may be browsed via CVSweb.

Follow this link for information on verifying the signatures.

We may help you integrate phpass into your applications, please check out our services.

Contributed resources:

The Authen::Passphrase::PHPass Perl module reimplements the support for portable hashes introduced in phpass, but in Perl.

phpass has been integrated into WordPress 2.5+ (more info), bbPress (more info), Vanilla, PivotX 2.1.0+, Textpattern 4.4.0+, and concrete5 5.6.3+.

A cut-down version of phpass (supporting the portable hashes only) has been integrated into phpBB3 (although they have changed the hash type identifier string from "$P$" to "$H$", the hashes are otherwise compatible with those of genuine phpass).

Similarly, phpass forced to use the portable hashes only has been integrated into Joomla starting with versions 2.5.18 and 3.2.1.

A cut-down and reworked version of phpass (supporting the portable hashes only and requiring PHP 5+) has been integrated into development versions of Drupal leading to the Drupal 7 release, after a lengthy discussion and many proposed patches against various development versions of Drupal. There's a notion of upgraded hashes - these are phpass portable hashes of md5() hashes (which were used by older versions of Drupal), with the final hash encodings prefixed with a "U" (for "upgraded"). A more recent lengthy discussion has resulted in Drupal 7 switching from MD5 to SHA-512 for the underlying cryptographic primitive in phpass' "portable" hashes (making them less portable) while preserving "read-only" support for the MD5-based portable hashes. This change was made primarily for "political" reasons. Drupal 7's SHA-512 based phpass-like hash encoding strings use "$S$" as the hash type identifier.

There's also a module for Drupal 5 & 6 that makes the original phpass available with those versions of Drupal, including support for the more secure but not nearly as portable CRYPT_BLOWFISH and CRYPT_EXT_DES hashes.

A revision of phpass modified to use SHA-1 in the portable hashes, with the "$Q$" prefix to distinguish those, has been integrated into Escher CMS 0.9.2. After Drupal, this is another example of a project breaking compatibility for no good reason. Please don't do things like that!

Finally, there was an extension for the TYPO3 CMS that integrated support for phpass portable hashes into TYPO3, but it has since been replaced by reimplemented yet compatible phpass code integrated into TYPO3 proper.

phpass is a registered project with Open Hub.

The development of phpass and efforts on getting it into Drupal are partially supported by CivicActions, a Drupal consulting company.

Quick Comment:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ