Request: add equivalents to PHP's password_hash() and password_verify() functions

[twostraws]

Everyone knows secure coding is hard, so it's very helpful that BlueCryptor provides a great deal of advanced functionality to make a developer's life easier. Sadly, even with helpful API around, using them badly results in an insecure project – in fact one could even argue that it's less secure, because its developers have a false sense of security in their poor implementation. (Probably the most famous example, from some years ago.)

When it comes to storing passwords, PHP has two excellent functions that take a lot of the worry away from developers: password_hash() and password_verify(). The former accepts a plain text password as its first parameter, and created a password hash using Blowfish. To make this work, it also creates a salt for you. The complete string that gets returned contains the algorithm that was used, salt, and cost (presumably rounds?) as part of the hash, which means it's a single value that can be stored in a database attached to a user.

When it comes time to authenticate the user, password_verify() is used. This takes the plain-text password from the user along with the hash string returned from password_hash(), and returns true if they match. This is possible because password_hash() contains all the extra information – validation is pretty simple.

Storing important information such as passwords is always going to be an important part of any web project. As a result, it would be helpful if BlueCryptor added functions similar to these two from PHP that effectively eliminate a wide variety of coder errors and ensure best practice.