PHP recently suffered a bug in its password hashing algorithm that could lead to security vulnerabilities in applications. The bug, which was discovered and reported by researchers from Paragon Initiative Enterprises, could allow malformed BCrypt hashes to be erroneously validated as valid, potentially leading to passwords being accepted as correct when they are not.
The issue was caused by a PHP-specific modification to the crypt_blowfish algorithm, known as the “PHP hack”, which allowed a salt that was cut short by a
$ character to be detected as valid and processed by the algorithm. While such a hash is not a valid BCrypt hash and is not generated by PHP’s recommended password hashing API, password_hash(), some applications may still validate passwords with malformed or untrusted hashes, making them vulnerable to the bug.
The suggested fix for the bug was to remove the “PHP hack” and thus the differences between PHP’s crypt_blowfish and Openwall’s implementation, which is the basis of PHP’s implementation. This would ensure that only valid BCrypt hashes are processed by the algorithm and eliminate the security vulnerabilities introduced by the bug. The fix has been committed to the PHP source code by Stas Malyshev, a core PHP developer.
The bug and its fix generated a lot of discussion among the programming community, particularly on social media and forums like Hacker News. Some people defended PHP as a useful and endearing language despite its flaws, while others criticized it as outdated and irrelevant. Some also debated the merits of different programming languages and their respective strengths and weaknesses.
Regardless of one’s opinion on PHP or programming languages in general, the bug serves as a reminder of the importance of thorough testing and secure coding practices in software development. As vulnerabilities and bugs can arise even in well-established and widely-used programming languages, it is crucial for developers to stay up-to-date on the latest security best practices and be vigilant in their code review and testing efforts.
More information at