Until now, and I haven’t used it much, I’ve been using the hasher found over at phpass. Then I read another post, “forget password page, creating a generated password to email to the user.“, here at stackoverflow written by nageeb.

Excerpt from his post:

Here’s a step-by-step method that I use:

User creates password (via a registration form)
A function creates a random salt and then encrypts the password, in this case, using SHA256 algorithm and using a randomly created salt.

$password_salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));

$password_hash = hash(‘sha256’, $salt . $password);

Save the $password_hash and the $password_salt to the users table. These will be used later to authenticate the user when they attempt to login in the future.

When the user logs in, check the username/email/login and if found, grab the hash and salt from the users table and compare the password hash from the db to the hash returned from performing the same function on what they entered as their password.

$salt = $user_record[‘password_salt’];

$entered_hash = hash(‘sha256’, $salt . $entered_password);

Here it looks like php have native functions for all hashing needs. This make me think it must be the better one. Should I stop using phpass and start using the php hash framework?