I'd suspect the reason for the requirements is the same as for ircmaxell's more famous password_compat library:
Requirements
This library requires PHP >= 5.3.7
OR a version that has the $2y
fix backported into it (such as RedHat provides). Note that Debian's
5.3.3 version is NOT supported.
The runtime checks have been removed due to this version issue. To see
if password_compat is available for your system, run the included
version-test.php
. If it outputs "Pass", you can safely use the
library. If not, you cannot.
If you attempt to use password-compat on an unsupported version,
attempts to create or verify hashes will return false
. You have been
warned!
The reason for this is that PHP prior to 5.3.7 contains a security
issue with its BCRYPT
implementation.
Therefore, it's highly recommended that you upgrade to a newer version
of PHP prior to using this layer.
It sounds like your 5.3.3 version does not have the backport fix (based on that it looks Debian based, confirm yourself if the fix has been backported specifically to your version or not), so you really shouldn't be running this code (or any bcrypt based code) on 5.3.3 as it may open you up to actual security vulnerabilities.