I'm about to implement phpass into a new application because of its theoretical and technical arguments towards security. It is of course not the only security, but for hashing passwords this seems to me like the best available.
However, I don't get really happy when looking at its source code. It goes against some of my most basic code conventions, especially when it comes to security.
return $hash == $stored_hash;
I would always use the identical operator (===) on code around security.
if ($hash[0] == '*')
$hash = crypt($password, $stored_hash);
I would always use curly brackets { with an if. It doesn't matter that much whether they are on the same line, but just omitting them even though it is possible doesn't give me a good feeling.
Also, there is no way of forcing the CRYPT_BLOWFISH method. Right now I do that by checking for the length to be exactly 60 chars in my own wrapper.
I was wondering if someone knows an updated version? An improved one which is maintained and checked upon by a larger community then just one person? A newer version which makes all possible usage of PHP5 for example unbuffered reads as the author himself already suggests?
Or maybe I'm just being paranoid with no real reason.
If it is a new application, use https://github.com/ircmaxell/password_compat for password hashing. It works with PHP >= 5.3.7 and reimplements the coming password functions of PHP 5.5.
There really is no alternative to secure password hashing.