Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Michelangelo van Dam:
A word about my Have I Been Pwned package
Jan 03, 2019 @ 14:44:12

Based on the responses to a tweet he posted about the Have I Been Pwnd PHP package he created for PHP (found here), Michelangelo van Dam attempts to clear up how the package works in order to help calm some fears about how it handles passwords.

Yesterday evening I posted a Tweet about improving user entered passwords using Troy Hunt's service Have I Been Pwnd. [...] It went viral over night with many likes and retweets. But I also got a ton of questions regarding the usage and the security of this package. It turns out many people are scared to send passwords over the internet and are afraid to just use a package (like mine) for password checking.

In his post he explains how the password lookup works, sending only the first five characters of the hashed version of the password to the HIBP server (not the plain-text password). He includes a helpful graphic to illustrate the process and includes an example - not directly from the package - of how the request might work. His package makes it much simpler to perform this validation in your application.

tagged: haveibeenpwned package password clarification password

Link: https://www.dragonbe.com/2018/12/a-word-about-my-have-i-been-pwned.html

Michelangelo van Dam:
A word about my Have I Been Pwned package
Jan 03, 2019 @ 14:44:12

Based on the responses to a tweet he posted about the Have I Been Pwnd PHP package he created for PHP (found here), Michelangelo van Dam attempts to clear up how the package works in order to help calm some fears about how it handles passwords.

Yesterday evening I posted a Tweet about improving user entered passwords using Troy Hunt's service Have I Been Pwnd. [...] It went viral over night with many likes and retweets. But I also got a ton of questions regarding the usage and the security of this package. It turns out many people are scared to send passwords over the internet and are afraid to just use a package (like mine) for password checking.

In his post he explains how the password lookup works, sending only the first five characters of the hashed version of the password to the HIBP server (not the plain-text password). He includes a helpful graphic to illustrate the process and includes an example - not directly from the package - of how the request might work. His package makes it much simpler to perform this validation in your application.

tagged: haveibeenpwned package password clarification password

Link: https://www.dragonbe.com/2018/12/a-word-about-my-have-i-been-pwned.html

Rob Allen:
Migrating to password_verify
Dec 05, 2018 @ 15:08:01

In a new post to his site, Rob Allen walks through the process of migrating an older site to use the password hashing functions in PHP instead of the previous custom implementation.

I’ve recently been updating a website that was written a long time ago that has not been touched in a meaningful way in many years. In addition to the actual work I was asked to do, I took the opportunity to update the password hashing routines.

This site is so old that the passwords are stored using MD5 hashes and that’s not really good enough today, so I included updating to bcrypt hashing with password_hash() and password_verify() in my statement of work.

I’ve done this process before, but don’t seem to have documented it, so thought I’d write it the steps I took in case it helps anyone else.

He starts off by taking all of the current passwords (not plain-text, already hashed) and migrating them all to their bcrypt-ed version. He then updates the login functionality to select the account by email and check the record's password value with the password_verify function. Finally, he updates the system to rehash the plain-text password value (received from the user and verified) with bcrypt and save that back to the database and updated the password hashing method on user account creation.

tagged: migrate password hashing verify tutorial

Link: https://akrabat.com/migrating-to-password_verify/

Zend Framework Blog:
Protecting passwords with Argon2 in PHP 7.2
Aug 18, 2017 @ 16:12:01

On the Zend Framework blog today there's a new post from Enrico Zimuel showing you how you can use Argon2 password hashing in PHP applications (coming natively in PHP 7.2).

PHP 7.2 will be released later this year (2017). This version contains some interesting additions, including two new security features: support of the libsodium library.

With these new features, PHP is the first programming language to adopt modern cryptography in its standard library.

In this article, we demonstrate the usage of the Argon2 password hash algorithm.

He then walks you through the installation of the pre-release version of PHP 7.2 and the argon2 library to get the environment up and running. He briefly talks about what the Argon2 hashing algorithm is and how to use it directly in PHP via the password_hash function. He also mentions the password_get_info function and shows what the result of inspection on an Argon2 application contains.

tagged: password hash argon2 tutorial install usage

Link: https://framework.zend.com/blog/2017-08-17-php72-argon2-hash-password.html

DotDev.co:
Exploitbox: WordPress Unauthorized Password Reset Vulnerability
May 05, 2017 @ 16:14:48

On the DotDev.co site Eric Barnes has written up a post talking about a recently announced vulnerability (and 0-day exploit) for WordPress allowing for password reset emails to be delivered to a user-specified address instead of the correct one on the account:

On the Exploitbox site Dawid Golunski shares a 0 day vulnerability in the WordPress core affecting all versions:

The vulnerability stems from WordPress using untrusted data by default when creating a password reset e-mail that is supposed to be delivered only to the e-mail associated with the owner’s account.

The post includes a snippet of code from the WordPress core where the issue lies, relying on the value from PHP's $_SERVER['SERVER_NAME'] variable for the domain in the address the reset email is sent to. Unfortunately this value is pulled from the Host header in the request and is user-controllable. There's a solution offered using an Apache setting and it's noted that this exploit only seems to work against the default VirtualHost as it will act as a fallback if the Host does not reference a configured domain.

tagged: exploit wordpress password reset vulnerability zeroday security

Link: https://dotdev.co/exploitbox-wordpress-unauthorized-password-reset-vulnerability/

SitePoint PHP Blog:
Let’s Kill the Password! Magic Login Links to the Rescue!
Dec 15, 2016 @ 18:36:17

On the SitePoint PHP blog there's a new tutorial posted from Christopher Vundi showing you how to create a password-less login system using "magic links". These links allow users to log into a service without requiring a password using a one-time code and a special URL.

Authentication is something that has evolved over the years. We have seen it change from email – password combination to social authentication, and finally password-less authentication. Actually, more like an “email only” authentication. In the case of a password-less login, the app assumes that you will get the login link from your inbox if the email provided is indeed yours.

[...] In this tutorial, we are going to implement such a system in a Laravel app. The complete code can be found here.

The tutorial then walks you through some of the setup of the application environment - creating the Laravel project, building out the database and running the "make:auth" to generate related controllers/views/models. They show you how to change the login link to point to the new "magic link" functionality and the matching controller and view. The tutorial then shows how to generate the tokens, email them to the user with the special URL and validate them once they come back in.

tagged: password magic login link tutorial token email

Link: https://www.sitepoint.com/lets-kill-the-password-magic-login-links-to-the-rescue/

Laravel News:
Learn how to change Laravel’s login validation
Oct 27, 2016 @ 14:42:34

On the Laravel News site there's a quick post looking at Laravel's login validation and how you can make updates to its handling (and where the changes should be made).

Laravel’s included auth system is a great way of scaffolding out a basic flow for authenticating users through a complete registration, login, logout, and forgot password system.

When it’s all setup the login and password reset validation is stored in an AuthenticatesUsers and ResetsPasswords trait. Even though it’s a little hidden away it’s still easy to adjust this to your needs. Let’s take a look at how to adjust this.

The post then breaks each of these down, showing where in the framework source the code lives and how you can update or override the current handling. The login validation lives in the default "AuthenticatesUsers" trait and the password reset verification is in "ResetsPasswords". These can each be overridden in your own controllers as they're just methods included via traits.

tagged: laravel login validation trait tutorial password

Link: https://laravel-news.com/2016/10/login-validation/

Laravel News:
Learn about Grant Types in Laravel Passport
Aug 24, 2016 @ 15:46:49

On the Laravel News site today they've posted a tutorial helping you learn more about the grant types in the OAuth2 functionality provided by Laravel Passport.

OAuth2 is a security framework that controls access to protected areas of an application, and it’s mainly used to control how different clients consume an API ensuring they have the proper permissions to access the requested resources.

Laravel Passport is a full OAuth2 server implementation; it was built to make it easy to apply authentication over an API for laravel-based web applications.

For those not familiar with some of the terms around OAuth and its handling, they start with a few brief definitions (those that are familiar can skip them). Following this the post gets into the creation of a two kinds of grant handling with Passport: third-party authorizations and first-party applications (your own apps authenticating against the OAuth server). The post ends with a brief mention of creating access tokens manually, but points out that thing functionality should probably only be used during testing.

tagged: laravel passport oauth2 grant types password thirdparty server

Link: https://laravel-news.com/2016/08/passport-grant-types/

Tighten.co:
Creating a password-less, Medium-style, email-only authentication system in Laravel
Mar 14, 2016 @ 14:29:55

On the Tighten.co blog Matt Stauffer shows how to make a password-less authentication system similar to what the popular site Medium uses centered around emails sent to the account for the user.

Recently I was working on a project where one of our major pain points was users' passwords. Users were added to the application by administrators, so they didn't have passwords when they were first added, and forcing them to set and remember passwords was a big hitch on the project's usability.

So, we decided to try out a Medium/Slack-inspired password-less login. If you've never had the chance to work with this, the login system works like this: enter your email address on the login page, get emailed a login link, click the link, and now you're logged in. Access to your email address proves your identity without the need for a password.

He walks you through the process of disabling the current password-based flow by creating and modifying the default "make:auth" results. When the user comes to the site, they're asked to log in via sending an email. This email contains a unique token attached to a link that matches one on the server side related to the user. He shows how to build out this relation table, the matching model and the endpoint used to verify the hash once the user clicks on the link.

tagged: laravel password email login medium link random hash tutorial

Link: http://blog.tighten.co/creating-a-password-less-medium-style-email-only-authentication-system-in-laravel

Paragon Initiative:
How to Safely Store a Password in 2016
Feb 16, 2016 @ 17:19:46

On the Paragon Initiative site they've posted a new article showing you how to safely store a password (in 2016) that discusses both the concepts around good password hashing and how to do it in several languages (including PHP).

The Problem: You want people to be able to create a unique user account, with a password, which they will use to access your application. How can you safely implement this feature?

He advises using libsodium for some of the best protection but points out that it's not widely supported yet. An alternative that is, however, is bcrypt (including PHP. He shows how to hash a password in:

  • PHP
  • Java
  • C# (.NET)
  • Ruby
  • Python
  • Node.js

Each of them is basically a one-line kind of change and doesn't require much effort on the developer's part to implement. He ends the post with a few FAQs around Argon2, PBKDF2 and why he's chosen to advise bcrypt over scrypt.

tagged: password hash libsodium advice bcrypt language tutorial

Link: https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016


Trending Topics: