I was told, that php mcrypt is deprecated and I should use a different method to hash and salt my passwords.
This is what I do currently:
public function saveNewUser(array $data) {
$passwd = $this->mysqli->real_escape_string($datas['passwd']);
$options = [
'cost' => 11,
'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM)
];
$hashed_passwd = password_hash($passwd, PASSWORD_BCRYPT, $options);
$this->optin_hash = md5(rand());
//...
//save user in DB with hashed passwd
Login:
if (password_verify($_POST['user_password'], $result_row->gmw_usr_passwd)) {//do some login stuff}
1.) What is the latest and most secure way to crypt and save a password? Can you give an usage example or link how to save crypt a password correctly and how to verify it for login?
2.) In the php Documentary I read something about password_hash:
password_hash() creates a new password hash using a strong one-way hashing algorithm. password_hash() is compatible with crypt(). Therefore, password hashes created by crypt() can be used with password_hash().
(...)
Warning The salt option has been deprecated as of PHP 7.0.0. It is now preferred to simply use the salt that is generated by default.
2.a) Is password_hash an alternative to what I used?
2.b) So I don't need to add salt by myself?
2.c) What about that blowfish algorythm I used and all the other steps I added? Are they not neccesary anymore?
2.d) how do I verify the passwords for login, when I use password_hash?
EDIT: Sorry I saw that I already use password_hash (it was a very short coding-night).
As described by Artjom B. I don't need mcrypt (?)
