In a new post to her site Lorna Mitchell encourages you to upgrade to better passwords by using either the built-in password hashing (since PHP 5.5) or by using the userland implementation (that works for >=PHP 5.3.7).

The password features in PHP aren't exactly new, but I see lots of applications from "before" which aren't being migrated to better practices. I have some strategies for doing these migrations so I thought I'd share my main approach, plus a similar-but-different one I saw in the wild (OK it was in CakePHP, so not too wild!).

She offers a few steps to follow to upgrade your application to use the bcrypt solution instead of your current format:

• Update Login Code (change SQL to just fetch the password, not evaluate it)
• Hash existing passwords
• Update registration code (for new passwords to use the new method)
• Migrate users with old passwords hashes once they've verified their current login

She also mentions alternatives to these approaches including forcing the user to change their password on login.

On the SitePoint PHP blog today there's a new tutorial walking you through a new feature of PHP 5.5 that can help you create more secure password hashes easily - the Password Hashing API.

Using bcrypt is the currently accepted best practice for hashing passwords, but a large number of developers still use older and weaker algorithms like MD5 and SHA1. Some developers don’t even use a salt while hashing. The new hashing API in PHP 5.5 aims to draw attention towards bcrypt while hiding its complexity. In this article I’ll cover the basics of using PHP’s new hashing API.

He starts by introducing the functions involved to create, verify get general information and see if the hash needs to be regenerated. For each function he provides a summary of what it does and some sample code putting it to use. If you haven't upgrade to PHP 5.5 yet and still want to use it, consider adding this library to your application. It provides the same interface, just in a "userland" implementation.