password_verify fails for hashes from crypt()

[flack]

When I run the following code in PHP 5.4.45

$password = 'XXX';
$salt = 'XX';
var_dump(password_verify($password, crypt($password, $salt)));

I get false as result. When I run the same code with PHP's native password_verify function, I get true

[ircmaxell]

Generic crypt compatibility is not a documented feature of either this project or php.net/password_verify. You can use it, but it's not a supported use-case in either.

The final condition here should be < for that to work: https://github.com/ircmaxell/password_compat/blob/master/lib/password.php#L239

However given this library has been in maintenance mode for years, and that 5.4 is not a currently supported version and CRYPT_STD_DES is horrifically insecure, I'm inclined to close as a wont/fix... Open to hearing discussion in the other direction though.

[flack]

Well, of course I don't plan to create new passwords with std_des. But I have a couple of really old databases where existing passwords have been created with that function. So I was hoping I could password_verify the users on login and then rehash to something a little more sane so that I can gradually migrate. I'll also update this machine to a newer PHP eventually, but this might take some time (and Debian Wheezy still has LTS support until May 2018, so it's not entirely unsupported just yet). having password_verify work would basically allow me to begin using modern functionality right away instead of waiting for the OS upgrade to happen.

[flack]

P.S.: I tested the change you proposed, works like a charm!