Correctly using crypt() with SHA512 in PHP

Question

All the examples online show the use of crypt like this:

$pass = crypt('something','$6$rounds=5000$anexamplestringforsalt$');

But everyone says that you are not supposed to define the rounds or the salt.

So how should I use it?

Also I am having a problem: when I run the code above, it only runs 50 rounds instead of 5000 rounds as if the system is stopping it.

Any help will be greatly appreciated.

//- Solution -//

I have found some of these to be useful:

For generating Salt:

Here is a random way of generating salt

$randomString = random_bytes(32);

Base 64 encode to ensure that some characters will not cause problems for crypt

$salt = base64_encode($randomString);

For Hashing:

$hashed = crypt($passwordInput, '$6$'.$salt);

To Confirm:

if (crypt($passwordInput, $hashed) == $hashed) { 
  // Valid action
} else { 
  // Invalid action
}

** Special Thanks to @lathspell for help with arriving at above solution **

Answer 1

The main reason to run the algorithm for a certain amount of rounds is simply to slow it down to make brute forcing attacks uninteresting. For that 5000 iterations are enough even for modern hardware. You could as well use 100000 but then your server admin would probably want to have a word with you :-) rounds=5000 is the default for SHA-512. The minimum is 1000 and the maximum very high.

Answer 2

Use OpenSSL for salt generation, it's even more random. And maybe 20000 rounds to future proof your code a bit.

function cryptPassword($password, $salt = "", $rounds = 20000)
{
    if ($salt == "")
    {
        // Generate random salt
        $salt = substr(bin2hex(openssl_random_pseudo_bytes(16)),0,16);
    }
    // $6$ specifies SHA512
    $hash = crypt($password, sprintf('$6$rounds=%d$%s$', $rounds, $salt));

    return $hash;
}

Answer 3

hash could be an option. You can use hash('sha512', $stringInput);