The question my seem nerd but I'm a newbie to those PHP password encryption libraries and methods.
I found a lot of posts about use bcrypt for highest level of secure password hashing.
I found out that in PHP 5.5, we can use password_hash() function to create a bcrypt password. But most of hosting web servers still don't support PHP 5.5. It is really awkward.
I also found out another commonly use function crypt() which support six hashing algorithms. It is fortunate that this function can also produce bcrypt hashed password by providing proper format string such as $2a$12$. Again official php docs says that it is supported in PHP 5. Therefore I decided to use this one for my project.
I just want to know that the security level of this crypt() function (with $2a$12$) is equal to password_hash() function of PHP 5.5.
I also found out that password_hash() compatible library for lower version of PHP. Is this library provide other advantages over crypt() function?
Please, share your any suggestions. I'm really ambiguous now. Thanks in advance.
$2a$ hashes are not secure, see this page for details. PHP 5.3.7 and above uses $2y$. crypt can generate secure hashes, but you need to provide a salt manually. If you generate a weak salt, then the hash won't be secure enough.
Because of this, I suggest to use password_compat. It was developed by Anthony Ferrara who implemented the password_hash functions into PHP 5.5. It provides an easy and secure way to hash and compare passwords.