Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Anthony Ferrara:
Why I Don't Recommend Scrypt
Mar 13, 2014 @ 15:11:59

Anthony Ferrara has a new post today looking at password hashing and a type of hashing that's beginning to get more attention in the PHP community - scrypt. However, he doesn't recommend it for production password storage and shares his reasoning why.

Scrypt was not designed for password storage. It was designed as a key derivation function for generating keys from weak material (namely passwords). The prime type of attack that scrypt is designed to defeat is ASIC based attackers. It is not designed to try to favor CPU over GPU (and thereby defeat GPU based attacks). It is this fact that we can leverage to gain an advantage when used as a password hashing mechanism.

He covers some of the basic design decisions that were made when scrypt was created. He also points out that none of the results of these decisions are strictly fatal, they just make it a bit weaker than something like bcrypt for password storage. He goes through the basic inputs scrypt requires and includes a quick snippet of code (not PHP, but easy to understand) showing its use. He talks about its "chain of 4 operations" and gets into what he sees as limitations: loop unrolling and the tune-able reduced memory usages. He finishes off the post mentioning that scrypt is still secure, but despite this he doesn't recommend it for password storage specifically.

tagged: scrypt recommend hashing password

Link: http://blog.ircmaxell.com/2014/03/why-i-dont-recommend-scrypt.html

Scott Arciszewski:
Using scrypt in PHP-based Websites
Oct 30, 2013 @ 15:48:18

Scott Arciszewski has posted a new tutorial to his site helping you get scrypt installed as an alternative to some of the other cryptographic functionality that's already supported by PHP (like bcrypt).

Most newbie PHP developers suck at developing user authentication systems. When not storing passwords in plaintext, they just wing it with a simple hash function and hope it's good enough. Instead of md5(), sha1(), or hash(), you should consider using scrypt, pbkdf2, or bcrypt. Today, I'll go through the steps required to start using scrypt in your web applications.

He walks you through the exact steps you'll need to get scrypt installed and working happily with PHP (provided you have root on the machine). Thankfully, it's pretty easy thanks to the scrypt extension provided through PECL. He gives a brief introduction to using the scrypt function and links to an updated version of a scrypt wrapper you can use in your applications.

tagged: scrypt cryptography hashing extension pecl tutorial

Link: https://s.arciszewski.me/blog/2013/10/php-scrypt-setup


Trending Topics: