PHP.net says that md5() and sha1() unsuitable for password?

Question

http://www.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash

I\'m storing user passwords in a MySQL database in hash form. Does this mean that it is unsafe to d

Answer 1

As the page you linked to recommends, use the PHP crypt() function with the Blowfish algorithm. Also, use a varying salt for each call to crypt(). You can store the salt values in the same database table as the password, so that it can be used when you compare the passwords later.

To call crypt() with the Blowfish algorithm, use a salt that begins with $2a$, followed by a number (the "cost parameter") between 04 and 31, followed by a $, and then 22 digits from the alphabet ./0-9A-Za-z.

The PHP: crypt manual contains more details on how to use crypt()