News Feed
Jobs Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Anthony Ferrara:
Why I Don't Recommend Scrypt
March 13, 2014 @ 10:11:59

Anthony Ferrara has a new post today looking at password hashing and a type of hashing that's beginning to get more attention in the PHP community - scrypt. However, he doesn't recommend it for production password storage and shares his reasoning why.

Scrypt was not designed for password storage. It was designed as a key derivation function for generating keys from weak material (namely passwords). The prime type of attack that scrypt is designed to defeat is ASIC based attackers. It is not designed to try to favor CPU over GPU (and thereby defeat GPU based attacks). It is this fact that we can leverage to gain an advantage when used as a password hashing mechanism.

He covers some of the basic design decisions that were made when scrypt was created. He also points out that none of the results of these decisions are strictly fatal, they just make it a bit weaker than something like bcrypt for password storage. He goes through the basic inputs scrypt requires and includes a quick snippet of code (not PHP, but easy to understand) showing its use. He talks about its "chain of 4 operations" and gets into what he sees as limitations: loop unrolling and the tune-able reduced memory usages. He finishes off the post mentioning that scrypt is still secure, but despite this he doesn't recommend it for password storage specifically.

0 comments voice your opinion now!
scrypt recommend hashing password

Link: http://blog.ircmaxell.com/2014/03/why-i-dont-recommend-scrypt.html

SitePoint PHP Blog:
Risks and Challenges of Password Hashing
March 11, 2014 @ 09:31:45

The SitePoint PHP blog has a new post today about the challenges of password hashing and some of the common risks that can come with it. It's a continuation of a previous article about the actual techniques for hashing in PHP.

The fact that the output of a hash function cannot be reverted back to the input using an efficient algorithm does not mean that it cannot be cracked. Databases containing hashes of common words and short strings are usually within our reach with a simple google search. Also, common strings can be easily and quickly brute-forced or cracked with a dictionary attack.

He points to a video demonstrating a method for getting the password data and why just salted hashes aren't a secure method for storing this information. He mentions a "randomness issue" (and PHP's rand function). Instead, he shows an example with openssl_random_pseudo_bytes o pull a chunk of randomized data. He then talks some about password stretching using the PBKDF2 handling in PHP. Finally, he goes past the hashing and gets into encryption, mentioning "password tweaking" as an alternative to generating a single key for every user.

0 comments voice your opinion now!
password hashing encryption challenge risk tutorial

Link: http://www.sitepoint.com/risks-challenges-password-hashing/

PHPBuilder.com:
Implementing Secure Passwords in PHP 5.5
January 29, 2014 @ 11:17:40

On PHPBuilder.com today there's a new post introducing you to a relatively recent advancement in PHP (in version 5.5), the password hashing API. In this article they cover the basics including hashing and verifying the result.

PHP has always had a few simple ways to implement password hashing to an extent. MD5 and SHA1 are examples of this, but the security of these methods is not what it should be. [...] What we need is a secure password encryption mechanism that uses SALT and perhaps even something else to help us safely encrypt our passwords for later use. [...] Lucky for us, the folks at PHP have thought about this long and hard, and the result is a very simple PHP password hashing API that is not only easy to use, but fast and secure.

They briefly look at the two major functions in the updated feature - password_hash and password_verify and some basic code examples of their use.

0 comments voice your opinion now!
secure password hash php55 passwordhash passwordverify introduction

Link: http://www.phpbuilder.com/articles/application-architecture/security/implementing-secure-passwords-in-php-5.5.html

Hasin Hayder:
Create personalized phar files in PHP
January 15, 2014 @ 09:32:42

Hasin Hayder has a quick post talking about the creation of personalized phar files (packaged up PHP applications) using the Box Project tool.

Created a screencast to show how you can create phar files, most importantly personalized phar files to store some information inside it and protect it using user's password. Those information is usable only when user providers a correct password. For packaging, I have used http://box-project.org which is an excellent phar packager. I've also used two functions from Josh Hartman's blog to encrypt and decrypt data using Rijndael algorithm.

You can watch the full screencast over on YouTube. It walks you through the entire process of creating a simple script, using the two functions (mc_encrypt and mc_decrypt) to handle the encryption and defining the Box configuration JSON to create the package.

0 comments voice your opinion now!
phar file tutorial screencast boxproject encryption password

Link: http://hasin.me/2014/01/14/create-personalized-phar-files-in-php

Jeremy Kendall:
PHP Password Hashing A Dead Simple Implementation
January 08, 2014 @ 11:48:23

In this recent post to his site Jeremy Kendall shares some of his thoughts about password hashing and a new library he's written to help make it simpler - event with an existing password hashing method in place.

We all know to encrypt passwords for highest level of security. Unfortunately, too many do it [the wrong way]. While there was never any excuse for getting it that wrong, there's now no excuse for getting it wrong at all. Developers, meet the new(-ish) PHP password hashing functions (and the userland implementation password-compat).

He shows how to use this password hashing correctly with the "default" hash and how to store that in the database. His Password Validator library aims to help make this even simpler and adds in other features like rehashing and upgrading of legacy passwords. The remainder of the post shows how to use the library for these functions and how to persist them in the tool's storage decorator and interface functionality.

0 comments voice your opinion now!
password hashing implementation validator opensource library

Link: http://jeremykendall.net/2014/01/04/php-password-hashing-a-dead-simple-implementation/

BitExpert.de Blog:
Composer, Bower and HTTP Basic Auth
December 27, 2013 @ 11:16:23

Stephan Hochdörfer has shared a handy tip for the Composers users out there that may have to deal with username/password protected repositories as a part of your package install process. In his post he shows how to use a simple "expect" script to automatic the HTTP Basic Auth login.

A couple of months ago when we set-up our own internal Satis repository to host our custom Composer packages. We ran into an "unpleasant" issue with Composer that had this PR as an result. To sum things up: We are using HTTP Basic Auth to password-project our Satis repository. There was no way we could switch to an SSL client certificate to allow Composer to authenticate itself automatically without asking for a password. Asking for the password on a developer`s machine is no big thing, but it since we need an automated Composer run in our Jenkins environment, there was no way to set things up.

As Composer doesn't currently support this functionality, they had to find a way around it. They went with an expect script that is used to work with the prompts and send the username/password information when expected. He also points out that this could be useful for other situations and tools - like a Bower build.

0 comments voice your opinion now!
composer satis username password http basic authorization bower expect

Link: http://blog.bitexpert.de/blog/composer-bower-and-http-basic-auth/

Timoh's Blog:
Aggressive password stretching - A solution to the low-entropy keys problem?
November 29, 2013 @ 10:15:30

While not specifically related to PHP, this new post from Timoh looks at the idea of "aggressive password stretching" to help with a common problem in password-based systems - the poor choice of passwords from the application's users.

Practically speaking, "weak" means a user generated password will not contain enough guessing entropy to resist an adversary who managed to gain the user database dump, and who is able to run efficient offline attack against leaked hashes. Here comes in the need to make adversary's job harder, which is achieved by using the above-named algorithms.

He doesn't talk much about the actual password hashing itself, instead focusing on how the password stretching - the addition of more information not from the user (usually an automated source) to increase it password entropy. He goes through some of the math about how much extra work is required for an attacker with this method and some of the problems that can come with it. He talks about how much time should be spent in the hashing of the passwords and suggests that it's "a matter of finding a sweet spot between you and attacker's patience and the security gain" and not just about the security.

A bit more on the PHP-specific side, he briefly looks at the password_hash function and some of the defaults the more current frameworks use (hint: bcrypt all the things).

Proper password hashing is clearly not enough to make sure the password hashes are not weak. The other half of the job is a good password policy. No algorithm or setting will save passwords like "password" or "12345" etc. This is why we need to make sure the user's password will initially contain enough entropy itself.
0 comments voice your opinion now!
password stretching hashing aggressive entropy solution

Link: http://timoh6.github.io/2013/11/26/Aggressive-password-stretching.html

SitePoint PHP Blog:
Hashing Passwords with the PHP 5.5 Password Hashing API
September 17, 2013 @ 13:38:00

On the SitePoint PHP blog today there's a new tutorial walking you through a new feature of PHP 5.5 that can help you create more secure password hashes easily - the Password Hashing API.

Using bcrypt is the currently accepted best practice for hashing passwords, but a large number of developers still use older and weaker algorithms like MD5 and SHA1. Some developers don't even use a salt while hashing. The new hashing API in PHP 5.5 aims to draw attention towards bcrypt while hiding its complexity. In this article I'll cover the basics of using PHP's new hashing API.

He starts by introducing the functions involved to create, verify get general information and see if the hash needs to be regenerated. For each function he provides a summary of what it does and some sample code putting it to use. If you haven't upgrade to PHP 5.5 yet and still want to use it, consider adding this library to your application. It provides the same interface, just in a "userland" implementation.

0 comments voice your opinion now!
password hashing api tutorial introduction passwordcompat

Link: http://www.sitepoint.com/hashing-passwords-php-5-5-password-hashing-api

Mike Dalisay:
Salt, Hash and Store Passwords Securely with Phpass
April 08, 2013 @ 12:16:29

On Mike Dalisay's site there's a recent post showing how to use the Phpass tool to salt, hash and store passowrd data in your application.

I think the main reason why we have to hash passwords is to prevent passwords from being stolen or compromised. You see, even if someone steal your database, they will never read your actual or cleartext password. I know that some PHP frameworks or CMS already provide this functionality, but I believe that it is important for us to know how its implementation can be made.

His sample application stores the user data in a MySQL database and does the salting+hashing at the time of the request. It uses a hard-coded salt and a value of 8 for the hashing/stretching. Screenshots of each page in the example application are also included.

0 comments voice your opinion now!
phpass salt hash password mysql tutorial email validate

Link: http://www.codeofaninja.com/2013/03/php-hash-password.html#.UVziYKUm0sc.dzone

Andrew Podner:
PHP 5.5 Preview New Password Hashing API
March 25, 2013 @ 12:32:26

Andrew Podner has posted about the password hashing functionality that's coming with PHP 5.5 - how it will work and some of the benefits of its use.

Recently PHP 5.5 was released into beta, which puts us one step closer to another release of PHP. This week, I thought I would spend a little time explaining a new feature that will be implemented in 5.5 that will hopefully make dealing with passwords easier for developers to grasp and properly implement. I cannot tell you the number of apps, even ones written within the last year or so, that I open up only to find either an md5 hash, or worse, clear text password storage. I keep telling myself that eventually this will come to an end, and people will stop taking the easy way out. Maybe PHP 5.5 will have made it so easy that there is simply no further excuse not to implement solid password hashing.

He includes an example of the four new functions that will come with the hashing functionality: password_get_info, password_hash, password_needs_rehash and password_verify. He includes the parameters that should be included in each call and the details from the call to get the hash's info. If you're not going to be able to move up to PHP 5.5 when it's released, you might consider looking into this compatibility library to have a similar interface and functionality (for 5.3.7 or greater).

0 comments voice your opinion now!
preview password hashing api compatibility library introduction



Community Events











Don't see your event here?
Let us know!


database framework example application performance security composer component language symfony2 podcast release facebook project package introduction install hack unittest hhvm

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework