The problem that phpass solves is not specifically a weakness in md5, but
that all cryptographic hashes are insecure to store passwords by
themselves. Computers are getting faster and especially with GPUs and FPGAs
brute forcing password hashes is getting faster and faster. The solution is
to use a slower hash function, or using a standard hash function but
applying it 10000 times instead of once. The slowdown from (say) 10
microseconds to 10 milliseconds is insignificant for logging in, but slows
down brute force cracking of a stolen hash by 1000 times. But see the
article at for a more
complete explanation.

Phpass checks which cryptographic functions are available, first trying
bcrypt (a.k.a. CRYPT_BLOWFISH in php), then CRYPT_EXT_DES, and falls back
to applying md5 a few thousand times. Both crypt_blowfish and crypt_ext_des
are specialized password hash functions that use a configurable number of
rounds of an underlying cryptographic hash.

On Fri, Jun 15, 2012 at 6:51 PM, Wolfgang Dautermann <> wrote:

> Am 13.06.2012 22:37, schrieb Jan Kanis:
> > Thanks! I'll have a look at what the admin side of sourceforge
> > brings.
> >
> > Regarding password storage, the problem is that /password/ hashing
> > should be (relatively) slow, to prevent brute force searches on ever
> > faster hardware. I want to use phpass
> > <> for that,
> I did a quick look on the code - does it use a more secure hash than
> md5()? I think, there is my solution (if function_exists(sha1), use it)
> better.
> (I am going to a bike tour tomorrow and will be offline for some days...)
> > I also intend to keep everything php4 compatible, when I first
> > started using phpshell I also needed that.
> Ok.
> Best regards, Wolfgang
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
phpshell-devel mailing list

Reply via email to