Only two years since my last post :)

I was fixing up an old website I had built to improve the security and as part of that I wanted to improve the way in which passwords were stored, created, and verified for complexity. As part of this I built PasswordHelper, a small PHP library (61 lines of code) described on the overview/download/documentation/example page as follows:


PasswordHelper is a lightweight BSD licensed PHP class that has a number of password related utility functions that make it easy to:

  • Securely store passwords by hashing them with the adaptive Blowfish/bcrypt algorithm with random salt values
  • Compare user submitted passwords with stored password hashes
  • Generate random passwords
  • Validate password complexity for length and matches to a configurable set of regular expressions

The library does nothing too complex – it just makes it easy to do common things to help create more secure PHP applications utilizing existing PHP functions through a simpler API. Most of the existing APIs seem a bit…cryptic (ha ha, right?) and there are so many options and algorithms from which to choose. Choosing the ‘wrong’ algorithm for password hashing can lead to big problems, like the ability for hackers to brute force hundreds of thousands of passwords from your database in an hour.


Here’s a quick example of how it is used:

$pass = new PasswordHelper();
// Hash a password with bcrypt and a random salt before storing it in a database
$hash = $pass->generateHash('myP@ssword');
// Validate the password against the stored hash on a login attempt
if($pass->compareToHash('myWrongPassword', $hash)) {
	// password matches	
} else {
	// password doesn't match
// Generate a random password
$randomPassword = $pass->generateRandomPassword();
// Validate the complexity of a password
if($pass->checkPasswordComplexity($password)) {
	// password meets requirements	
} else {
	// password doesn't meet requirements

Check it out if you need some help with passwords in your PHP application…