Recommend password_hash in the README

defuse · Jan 9, 2019 · 1dc0ba3 · 1dc0ba3 · ronnel423 · Aug 14, 2019
1 parent f0a8dd3
commit 1dc0ba3
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/PasswordStorage.php b/PasswordStorage.php
@@ -44,7 +44,7 @@ public static function create_hash($password)
                 $salt_raw = false;
             }
         } else {
-            $salt_raw = \mcrypt_create_iv(self::PBKDF2_SALT_BYTES, MCRYPT_DEV_URANDOM);
+            $salt_raw = @\mcrypt_create_iv(self::PBKDF2_SALT_BYTES, MCRYPT_DEV_URANDOM);
         }
         if ($salt_raw === false) {
             throw new CannotPerformOperationException(

diff --git a/README.md b/README.md
@@ -23,7 +23,11 @@ using a memory hard algorithm, your passwords will be better protected.
 One thing you could do would be to use
 [libsodium](https://github.com/jedisct1/libsodium) to [hash your passwords with
 scrypt](https://download.libsodium.org/doc/password_hashing/index.html). It has
-bindings available for many languages.
+bindings available for many languages. For PHP apps, a great option is to use the
+built-in
+[`password_hash()`](https://secure.php.net/manual/en/function.password-hash.php)
+and
+[`password_verify()`](https://secure.php.net/manual/en/function.password-verify.php) functions.
 
 Since there are better options, this code is now in "maintenance mode." Only
 bugs will be fixed, no new features will be added. It is currently safe to use,