Handling password hashing compatibility question

Hi all,

I’ve got a question I’m hoping someone might have an answer for :slight_smile:

Ok, now from what I’ve read, there is no blowfish/bcrypt/crypt module (or at least complete implementation) that would be compatible with PHP’s crypt functions directly, but I’m not so sure indirectly (like through string manipulation and multiple crypto methods). So - is there a way to take a blowfish hashed/salted password like: $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a, get the salt and perform a similar hash method in Xojo using either ktekinay blowfish implementation or Sky Dancer Studios blowfish implementation.

If not, is there a suggested way to handle salted/hashed password in Xojo that I could also replicate in PHP. I ask because I’m working on a Xojo app that would need to interface an existing PHP website. Now, since I have control of the PHP code as well, it would be possible for me to create a script to modify the database into a more cross use compatible structure, but I’m really not sure how that would need to be handled (hashing methods, storing salts separate from the hashed passwords, etc.) Any tips or known tutorials would be appreciated.

Use Crypto.PBKDF2 with SHA512 (recommended) or SHA256. The equivalent PHP command is hash_pbkdf2.

Also, look into Security Via Obesity to store the hashes of the passwords.