[article draft] Password hashing howto and hownotto

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

allicient
Forum Newbie
Posts: 9
Joined: Fri Sep 19, 2008 7:11 pm

Re: [article draft] Password hashing howto and hownotto

Post by allicient »

As far as I'm aware there are two canonical ways of storing a hashed password (without consideration of any challenge-response authentication scheme... which is generally avoided in web apps because it implies use of Javascript crypto which isn't particularly good):

i) Store the pair Hash( salt || password ), salt in the database where the salt is unique for each password stored - this is an essential constraint (we're back to using /dev/urandom and probably concatenate with microtime as well). Using an additional constant salt is equivalent to a keyed hash, and is only useful if you can actually keep the key secret (which is unlikely if the webserver and database are on the same host). But in this instance I do tend to agree with you - its an easy way to get an additional layer of security, and have myself used this form in several implementations I've coded.

ii) Use something like PKCS#5 PBKDF2, again you'll be passing as an input "salt || password". This method (if the iteration count is high enough) makes it exeedingly difficult to mount an exhaustive search of the password space - even for relatively poor passwords.

Now, (ii) or similar is preferable and is used in products such as PGP (as far as I know) and PasswordSafe. Unfortunately, the (deliberate) time penatly may be too much for a webserver, and enforcing minimum password complexity with (i) may be more viable.


Note: I don't think (could be wrong, its been known to happen) there is *any* loss of entropy with applying the hash function multiple times (e.g. you're "double hashing", or PBKDF), although I would probably need to spend some time to do a proof and check. MD5, for example, pads its input with zeros to the 448th bit then appends a 64-bit value indicating the length to give a 512-bit input block. Given all the functions within MD5 are bijective, and that the only variable quantity in the repeated input is the 128-bit previous output (the rest are constant) - then H o H( x) should also be bijective, so H o H o .... o H( x ) is also bijective and hence no loss of entropy. Most MD-style hash functions also do not produce small cycles particularly easily, despite being poor on other fronts.


I liked that you'd written an article on this, it needs to be done. Even coders of very popular software can repeatedly get it wrong: http://www.lightbluetouchpaper.org/2008 ... erability/
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: [article draft] Password hashing howto and hownotto

Post by califdon »

I am woefully ignorant of this level of authentication security, but I learned a lot from reading your draft, Mordred, and add my thanks to that of others for your effort. About all I can contribute is a spelling correction: fashist -> fascist. And I must comment that, for a non-native English writer, you do remarkably well!
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: [article draft] Password hashing howto and hownotto

Post by kaisellgren »

Damn, you beat me at English :( - I'm also learning English, well, actually I'm just "trying" to.

Nice article you got there. I would add saucing to it, though.
Last edited by kaisellgren on Tue Sep 30, 2008 8:23 am, edited 1 time in total.
User avatar
papa
Forum Regular
Posts: 958
Joined: Wed Aug 27, 2008 3:36 am
Location: Sweden/Sthlm

Re: [article draft] Password hashing howto and hownotto

Post by papa »

Very nice article! Exactly what I was looking for!
User avatar
The_Anomaly
Forum Contributor
Posts: 196
Joined: Fri Aug 08, 2008 4:56 pm
Location: Tirana, Albania

Re: [article draft] Password hashing howto and hownotto

Post by The_Anomaly »

This article is pure awesome on so many levels. Best web security article I've ever read. Hopefully you'll find the time to write similar articles--whether it's on encryption, or just security in general.
Ijekic
Forum Newbie
Posts: 11
Joined: Sat Aug 16, 2008 11:36 am
Location: Belgrade, Serbia

Re: [article draft] Password hashing howto and hownotto

Post by Ijekic »

Yeah, extremely well written, thank you!
But since I'm a beginner, what I need is more how-to approach on how to implement the stuff. Fortunately, the article from Maugrim has all the details.

P.S.
I was amazed with your english fluency too!! Woow! Everytime I go to Sofia, I talk on some kind of Serbo-Bulgarian, because people usually don't know English well, but you.... 8O
Hannes2k
Forum Contributor
Posts: 102
Joined: Fri Oct 24, 2008 12:22 pm

Re: [article draft] Password hashing howto and hownotto

Post by Hannes2k »

Hi,
what do you think about this class/script: Improved Hash Algorithm

It uses key strengthening for a more secure password hash so that the life for the bad guys would be realy unpleasent ;).
Post Reply