|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #64816 CRYPT_BLOWFISH is not better than PBKDF2
Submitted: 2013-05-11 00:02 UTC Modified: 2015-05-17 04:22 UTC
Avg. Score:4.0 ± 0.9
Reproduced:4 of 4 (100.0%)
Same Version:2 (50.0%)
Same OS:2 (50.0%)
From: nenolod at dereferenced dot org Assigned:
Status: No Feedback Package: hash related
PHP Version: 5.5.0RC1 OS: N/A
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: nenolod at dereferenced dot org
New email:
PHP Version: OS:


 [2013-05-11 00:02 UTC] nenolod at dereferenced dot org
From manual page:

CRYPT_BLOWFISH has a limit of 76 characters maximum.  PBKDF2 has no limit, and when used with an HMAC function like sha256 or sha512 is vastly more complex to crack.

Please consider removing this from the documentation as it recommends a poor security practise as 'superior'.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-06-28 06:57 UTC]
-Status: Open +Status: Analyzed
 [2013-06-28 06:57 UTC]
From the manual
The PBKDF2 method can be used for hashing passwords for storage (it is NIST 
approved for that use). However, it should be noted that CRYPT_BLOWFISH is 
better suited for password storage and should be used instead via crypt().

This is too much. There are several problems.

1. crypt() is not encouraged, password_hash() is. (PHP 5.5>=)
2. PHP 5.5 users are encouraged to use password_hash() since it allows to 
upgrade hashing algorithm by upgrading PHP. (i.e. automatically updates 
3. Both password_hash() and hash_pbkdf2() are good enough if users used them 
with correct parameters. 

Note that correct usage is important for robust security. RFC 2898 suggest 1000+ 
rounds and NIST suggests several thousands rounds with SHA2 hashing. However, 
these number may consider too few with current technology.

It recommends tens of thousands rounds with SHA2 hash.

Anyway, both password_hash(), which uses crypt+blowfish internally, and 
hash_pbkdf2() good enough if users set at least 10000 rounds with SHA2 hash. (I 
would recommend 20000+, though)

I know there are number of weaknesses of blowfish have been reported, but it 
wouldn't be a problem with password length longer than 8 chars (I would 
recommend at least 10. 12+ is better)

Current password_hash() uses a little few rounds(2^10 = 1024). Since hash 
computation execution efficiency is differ from SHA2, blowfish requires less 
rounds and 1024 is acceptable, IMO. (I would suggest 2^12 or more, though)

Anyway, many users don't have clue about password hashing and current 
documentation cannot consider correct. Doc should be updated.
 [2015-05-04 18:03 UTC]
-Status: Analyzed +Status: Feedback -Package: Documentation problem +Package: hash related
 [2015-05-04 18:03 UTC]
The respective info in the manual has been changed in the

| The PBKDF2 method can be used for hashing passwords for storage.
| However, it should be noted that password_hash() or crypt() with
| CRYPT_BLOWFISH are better suited for password storage.

Is that sufficient?
 [2015-05-05 04:34 UTC] nenolod at dereferenced dot org
-Status: Feedback +Status: Open
 [2015-05-05 04:34 UTC] nenolod at dereferenced dot org
It is not sufficient because it is wrong.  Recommending a dubious homegrown password hashing solution instead of a standard one (PBKDF2) is also dubious in and of itself, even if the cryptographic primitives are correct.

The text should recommend that the PBKDF2 functions be used by "advanced" users (since the cryptographic primitives used are configurable), and password_hash() should use PBKDF2 with at least 128,000 rounds or more which is standard practice, *not* CRYPT_BLOWFISH.

PHP is an overgrown templating engine not a cryptography research toolkit, it should be using standardized best practices for password security.
 [2015-05-06 19:37 UTC]
-Status: Open +Status: Feedback
 [2015-05-06 19:37 UTC]
It should be noted that crypt(3) and password_hash(), which is
based on crypt(3), are no "dubios homegrown password hashing
solutions", but rather widely used.

The fact that PBKDF2 is recommended by NIST as "Password-Based Key
Derivation" function[1] is indisputable, but it might be
disputable that it is equally well suited for hashing passwords.
According to a StackExchange thread[2], bcrypt is somewhat better
suited for password hashing than PBKDF2, and according to the
scrypt paper[3], table 1 on page 14, bcrypt is harder to crack
then PBKDF2 for typical password lengths.

Can you point to any references to back your claim that bcrypt
should not be used for password hashing, and that PBKDF2 is
superior for this purpose?

Anyway, using PBKDF2 for password_hash() is probably not the best
idea, as there is no standardized crypt-compatible format for this

[1] <>
[2] <>
[3] <>
 [2015-05-17 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Apr 19 04:01:23 2021 UTC