why didn't you simply use one of the great password libraries?
For modern PHP, there's the excellent password_compat
, which has the nice feature of being compatible with the new password API in PHP 5.5. So as soon as PHP 5.5 is out, you can simply remove the library and use the native functions without having to change the code. For legacy PHP, there's PHPass
As a layman (which we all are), you should never
fumble with low-level cryptography. Functions like crypt()
aren't meant to be used directly in application code, they're written for password libraries. Trying to use the "raw" function is very risky, because there's a lot of mistakes you can make. You can easily break the whole thing.
For example, you totally forgot the error checking, so you cannot even tell what you're storing and comparing there. Could be some garbage strings. The underlying hash algorithm is not secure (even if this is just a demo). The salt is not secure (as you already mentioned). Maybe there are other issues -- I don't know, because like all of us, I'm not a cryptographer.
I strongly suggest getting away from home-made functions and using an established and well-tested library like the ones above. They've been written by people who know this stuff, and they've proven themselves in reality many time. So you can be pretty sure they actually work. That's not even remotely true for home-made code. Even if we
told you that everything is fine, that wouldn't mean a thing.
I think one of the most important qualities of a good developer is that they know their limits and know when to use a library. Cryptography is something we should keep our hands off and leave to the experts -- just like we leave heart surgeries to actual doctors. I mean, when you're having a lot of trouble with the implementation, isn't that already a warning sign?