I'm reading up on protecting passwords and want to get feedback on if my code is correct. I'm trying to use blowfish and crypt() together to prevent anyone from decrypting passwords. Also, I have a question. When I store the password, I assume I will have to also store the variable $string so that I can use it again to verify the user when he signs in, correct?
function unique_md5() {
mt_srand(microtime(true)*100000 + memory_get_usage(true));
return md5(uniqid(mt_rand(), true));
}
//unique_md5 returns a random 16 character string
$string = '$2a$07$' . unique_md5();
$password = 'password';
$password = trim($password);
$protected_password = crypt($password, $string);
//then store the variables $string and $protected_password into the database
Blowfish takes a 22 character string for it's salt (that's not including the type and the cost parameter). MD5 returns a 32 character string, which is not accepted by crypt_blowfish. Use proper salts.