I am looking to implement BCrypt into a web application, however I am left lost in how to incorporate / change the level of work / iterations/rounds:
php.net crypt function states
As of PHP 5.3.0, PHP contains its own implementation.
I understand that using $pw = crypt($password); will automatically create a random salt for me and that I can just store $pw in the database.
I understand that I can check the password validity using
if ( crypt($user_input, $pw) == $pw) ) {
// password is valid
} else {
// password is not valid
}
I am aware that the reason that Bcrypt is so good, is that bcrypt is an adaptive function based on the Blowfish crypt. over time, the number of rounds can be increased to make it slower, so it remains resistant to brute force attacks despite faster computing technology.
So my question is, how do I slow down or speed up the checking of validity of the password? Or in another way, how do I set default number of iterations required to create my hashed password?
Here's one solution:
https://github.com/ircmaxell/password_compat
Usage:
$options = array('cost' => 8); // 2^cost is the number of iterations
$hash = password_hash("adsfasdf", PASSWORD_BCRYPT, $options);
See here for a more through answer: