Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Tighten.co:
Creating a password-less, Medium-style, email-only authentication system in Laravel
Mar 14, 2016 @ 09:29:55

On the Tighten.co blog Matt Stauffer shows how to make a password-less authentication system similar to what the popular site Medium uses centered around emails sent to the account for the user.

Recently I was working on a project where one of our major pain points was users' passwords. Users were added to the application by administrators, so they didn't have passwords when they were first added, and forcing them to set and remember passwords was a big hitch on the project's usability.

So, we decided to try out a Medium/Slack-inspired password-less login. If you've never had the chance to work with this, the login system works like this: enter your email address on the login page, get emailed a login link, click the link, and now you're logged in. Access to your email address proves your identity without the need for a password.

He walks you through the process of disabling the current password-based flow by creating and modifying the default "make:auth" results. When the user comes to the site, they're asked to log in via sending an email. This email contains a unique token attached to a link that matches one on the server side related to the user. He shows how to build out this relation table, the matching model and the endpoint used to verify the hash once the user clicks on the link.

tagged: laravel password email login medium link random hash tutorial

Link: http://blog.tighten.co/creating-a-password-less-medium-style-email-only-authentication-system-in-laravel

Paragon Initiative:
How to Safely Store a Password in 2016
Feb 16, 2016 @ 11:19:46

On the Paragon Initiative site they've posted a new article showing you how to safely store a password (in 2016) that discusses both the concepts around good password hashing and how to do it in several languages (including PHP).

The Problem: You want people to be able to create a unique user account, with a password, which they will use to access your application. How can you safely implement this feature?

He advises using libsodium for some of the best protection but points out that it's not widely supported yet. An alternative that is, however, is bcrypt (including PHP. He shows how to hash a password in:

  • PHP
  • Java
  • C# (.NET)
  • Ruby
  • Python
  • Node.js

Each of them is basically a one-line kind of change and doesn't require much effort on the developer's part to implement. He ends the post with a few FAQs around Argon2, PBKDF2 and why he's chosen to advise bcrypt over scrypt.

tagged: password hash libsodium advice bcrypt language tutorial

Link: https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016

Lorna Mitchell:
Upgrade To Better Passwords in PHP
Jan 11, 2016 @ 09:44:55

In a new post to her site Lorna Mitchell encourages you to upgrade to better passwords by using either the built-in password hashing (since PHP 5.5) or by using the userland implementation (that works for >=PHP 5.3.7).

The password features in PHP aren't exactly new, but I see lots of applications from "before" which aren't being migrated to better practices. I have some strategies for doing these migrations so I thought I'd share my main approach, plus a similar-but-different one I saw in the wild (OK it was in CakePHP, so not too wild!).

She offers a few steps to follow to upgrade your application to use the bcrypt solution instead of your current format:

  • Update Login Code (change SQL to just fetch the password, not evaluate it)
  • Hash existing passwords
  • Update registration code (for new passwords to use the new method)
  • Migrate users with old passwords hashes once they've verified their current login

She also mentions alternatives to these approaches including forcing the user to change their password on login.

tagged: password hash bcrypt userland passwordcompat upgrade rehash tutorial

Link: http://www.lornajane.net/posts/2016/upgrade-better-passwords-php

Paragon Initiative:
Choosing the Right Cryptography Library for your PHP Project: A Guide
Nov 16, 2015 @ 12:19:16

On the Paragon Initiative blog there's a new article posted that wants to help you pick the right cryptography library for your project and your needs. In it they make several recommendations and the benefits of each.

Cryptography is not magic. Adding encryption to an application doesn't automatically make it secure against attackers (especially if you aren't authenticating your ciphertext). But if you do need it to satisfy a business need, conventional wisdom states that you almost certainly should not try to design your own cryptography. Instead, you should use an existing cryptography library.

Okay, great. So which PHP cryptography library should I use? That depends on your exact requirements. Let's look at some good choices. (We won't cover any terrible choices.)

The three libraries they recommend are: Halite, the Libsodium library, the Defuse Security PHP Encryption library and the PHPSecLib library. For each they make some recommendations on places they may be most effective and how it using them relates to passwords (hint, hashing over encryption).

tagged: cryptography library choice hailite libsodium phpencryption phpseclib password

Link: https://paragonie.com/blog/2015/11/choosing-right-cryptography-library-for-your-php-project-guide

Fortrabbit.com:
Is your database password stored safely?
Sep 08, 2015 @ 11:48:18

The Fortrabbit blog has a post that want to help you store your database password securely and away from prying attacker eyes. While they use the example of a a database password, credentials for just about any other service could be protected the same way.

How do you protect your access data? Your sensitive secrets, basically anything your PHP application uses to authenticate or authorize with other services such as databases, caches, cloud storages, image resize services, transactional mail providers. All of them. Where do you put this — easily accessible while in development and secure for production?

They start by pointing out a few places where they should not be stored: in your code, in a version control system or in an environment variable (plain text). Instead, they suggest using a combination of a secret key that's configured in the application and encrypted versions of the values in environment variables. Some code is included showing how to set this up in a Laravel-based application, but the principle can be applied independent of the framework too with some other simple tools. They end the post with some links to other articles including a "considered harmful" piece reinforcing their methods.

tagged: credential protection password database tutorial encryption environment variable

Link: http://blog.fortrabbit.com/how-to-keep-a-secret

Paragon Initiative:
Secure Data Encryption in Web Applications with PHP
Aug 03, 2015 @ 10:58:47

The Paragon Initiative has posted a new white paper to their site covering secure data encryption in web applications written in PHP. The paper covers high level topics and offers some more practical suggestions about tools and guides to use in protecting your applications.

Encrypting network communications is absolutely essential to the security of anyone who wishes to use your website or application. The standard and most reliable form of network encryption is called Transport Layer Security (TLS), which was preceded by and older standard called Secure Socket Layer (SSL).

Websites that use SSL or TLS are accessible by typing https://domain.com into your browser instead of just http://domain.com. Consequently, the shorthand way to refer to HTTP over TLS is simply HTTPS. Contrasted with network cryptography, storing sensitive information is a much more challenging and interesting problem to solve, and is the focus of this paper.

Among the topics covered in the white paper are things like:

  • The flow of a HTTPS request (and if it's "fast" or not)
  • Secure password storage and handling
  • On-demand encryption/decryption
  • Cryptography library recommendations
  • Using asymmetric cryptography with public and private keys

They also point to this curated list of resources to help you learn more about general web application security including cryptography.

tagged: secure application cryptography https password library libsodium resources

Link: https://paragonie.com/white-paper/2015-secure-php-data-encryption

IBM developerWorks:
PHP renewed: Password security in modern PHP
Apr 17, 2015 @ 08:53:15

The IBM developerWorks site has a new tutorial posted talking about how PHP has been "renewed" in recent versions, more specifically in the password security department.

When PHP was first crafted in the mid-1990s, the term web application didn't even exist yet. Password protection, then, wasn't one of the features that the PHP creators devoted resources to. After all, you didn't need to worry about passwords when you used PHP just to put a site-visit counter or a date-modified stamp on your web page. But 20 years have passed, and now it's almost unthinkable to create a web application that doesn't involve password-protected user accounts. It's of the utmost importance that PHP programmers safeguard account passwords by using the latest and most secure methods.

The article goes on to talk about the importance of using secure hashing methods for password storage, the speed at which "cracking" programs can run and the use of "rainbow tables". It then gets into some of the older methods commonly used for password storage and protection and shows how to refactor them into the new password hashing functionality introduced in PHP 5.5.

tagged: password security hashing renewed modern language release

Link: http://www.ibm.com/developerworks/web/library/wa-php-renewed_2/index.html

Evert Pot:
The problem with password_hash()
Feb 25, 2015 @ 10:51:04

Evert Pot has shared some of his thoughts about why he has a problem with password_hash (and friends). His thoughts are initially about this particular feature but they're actually wider than that.

The initial introduction and rfc for these functions made me uneasy, and I felt like a lone voice against many in that I thought something bad was happening. I felt that they should not be added to the PHP engine. I think that we should not extend the PHP engine, when it's possible to write the same API in userland, or there are significant benefits to do it in PHP, such as performance. Since the heavy lifting of the password functions is done by underlying libraries that are already exposed to userland-PHP, it didn't make sense to me to expose it as well in the core.

He includes a list of things he sees as drawbacks for new C-based functionality in PHP including the fact that it extends the "PHP specification" and forces other projects to implement it (like HHVM). He does include a few positives, though, such as the increased visibility and legitimacy, but still thinks they don't outweigh the negatives.

tagged: password hash core language c implementation opinion userland

Link: http://evertpot.com/password-hash-ew/

The Code of a Ninja:
Salt, Hash and Store Passwords Securely with Phpass
Jun 16, 2014 @ 11:15:37

In this post to the CodeOfANinjs.com site, they walk you through password hashing, salting and storage using the PHPAss tool from OpenWall. The post itself is a bit older, but the content still provides a good example to teach the basics.

I think the main reason why we have to hash passwords is to prevent passwords from being stolen or compromised. You see, even if someone steal your database, they will never read your actual or cleartext password. I know that some PHP frameworks or CMS already provide this functionality, but I believe that it is important for us to know how its implementation can be made.

The tutorial shows you how to use the library and how to store the result in a simple "users" table in a MySQL database. The examples hash the password given from a simple form and use prepared statements (via PDO) to save it to the database. All PHP, HTML and CSS code you'll need - including the login form that checks the username/password - is included. There's also a few screenshots showing what the resulting forms and data should look like.

tagged: phpass tutorial hash salt password storage mysql user

Link: http://www.codeofaninja.com/2013/03/php-hash-password.html

Anna Filina:
Brute-force countermeasures
Jun 11, 2014 @ 10:09:10

In her latest post Anna Filina has made some recommendations of countermeasures you can use to help prevent abuse against brute force attacks in your applications. The recommendations aren't PHP-specific, but they're a good guide and a place to start.

Password brute-forcing refers to trying all password permutations until the attacker finds the right one. Here are some of the most common ways to mitigate that risk: increase the length of the password and increase the number of possible characters. [...] The human factor should not be ignored here. People often use letters in the beginning and numbers at the end.

She recommends a few other tactics to helping prevent the brute forcing including locking an account after a number of unsuccessful login attempts and requiring a CAPTCHA after a number of unsuccessful logins. She recommends not relying on a single method to help prevent this kind of attack, however. Multiple layers can only help, but be careful not to introduce too much complexity.

tagged: brute force attack countermeasure password

Link: http://afilina.com/brute-force-countermesures