PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Thu Dec 13, 2018 2:21 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 10 posts ] 
Author Message
 Post subject: password hashing
PostPosted: Wed May 02, 2012 7:43 am 
Offline
Forum Newbie

Joined: Wed May 02, 2012 7:39 am
Posts: 1
I've been searching and reading for the last 2 days about PHP password Cryptographic hashing.

The most common and secure functions I came across were sha256/512 , bcrypt , HMAC , PBKDF2(Password-Based Key Derivation Function) and PHPass.

From what I've been reading speed is an enemy (http://codahale.com/how-to-safely-store-a-password/)
So I've been looking for the "slowest" secure hashing algorithm which I found is bcrypt and PHPass (http://www.openwall.com/phpass/).

Now I can't make up my mind which one to use. :?:
What do you guys think? Which one should I go with and why?

Just to make sure:
1. bcrypt = crypt_blowfish right ?
2. bcrypt and PHPass are both hash + salt functions ? I mean I don't have to add salt, they already have the salt function built-in.

Thanks in advance!


Top
 Profile  
 
 Post subject: Re: password hashing
PostPosted: Wed May 02, 2012 9:01 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
PHPass implements Blowfish when it's available, so it's the better choice. If Blowfish isn't available, it will make use of what is available whereas implementing crypt() directly would fail if Blowfish weren't available.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
 Post subject: Re: password hashing
PostPosted: Wed May 02, 2012 9:49 am 
Offline
Briney Mod
User avatar

Joined: Mon Jan 19, 2004 7:11 pm
Posts: 6445
Location: 53.01N x 112.48W
I don't know if there's any reason to use a 3rd party library when decent hashing is built-in.

_________________
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.


Top
 Profile  
 
 Post subject: Re: password hashing
PostPosted: Wed May 02, 2012 10:29 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
There is decent hashing built in, but what's available will depend on each server's configuration. You want to use blowfish when it's available, but you need a contingency for when it's not. You could certainly create your own library to handle this, but I'd sooner use something tried and tested. Surely a library developed and maintained by many people and subject to peer review will be better than anything I could manage alone. Plus, it saves me from having to waste time writing boiler plate code and allows me to get right to work on the project at hand.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
 Post subject: Re: password hashing
PostPosted: Wed May 02, 2012 10:32 am 
Offline
Briney Mod
User avatar

Joined: Mon Jan 19, 2004 7:11 pm
Posts: 6445
Location: 53.01N x 112.48W
Good point, if you're running 5.3-. From 5.3 on, PHP provides it's own implementation of the algorithms if the system doesn't provide them.

_________________
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.


Top
 Profile  
 
 Post subject: Re: password hashing
PostPosted: Wed May 02, 2012 10:37 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
pickle wrote:
From 5.3 on, PHP provides it's own implementation of the algorithms if the system doesn't provide them.

I was not aware of this. Good to know.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
 Post subject: Re: password hashing
PostPosted: Wed May 02, 2012 10:41 am 
Offline
Briney Mod
User avatar

Joined: Mon Jan 19, 2004 7:11 pm
Posts: 6445
Location: 53.01N x 112.48W
I didn't until this morning either.

_________________
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.


Top
 Profile  
 
 Post subject: Re: password hashing
PostPosted: Fri May 04, 2012 10:40 pm 
Offline
Forum Newbie

Joined: Fri May 04, 2012 10:35 pm
Posts: 1
Any hash that uses a salt should be pretty sure. Even md5 should do just fine.


Top
 Profile  
 
 Post subject: Re: password hashing
PostPosted: Sat May 05, 2012 7:17 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
cpellens wrote:
Any hash that uses a salt should be pretty sure. Even md5 should do just fine.

Read the article the OP linked. md5 is worthless.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
 Post subject: Re: password hashing
PostPosted: Mon May 07, 2012 3:26 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
With a deliberately slow hashing scheme, you can hit a performance problem if you hash on the server side; someone could DoS your auth server with a low volume of requests. Moving hashing to the client is not trivial though: if you simply send the hashed password, you turn your auth system into a plaintext one.

An additional mitigation tactic that would help against bruteforcing attacks is to use a site-wide "pepper" hardcoded in the source. A successful attack would then require access not only to the database, but to your source as well. The article in my sig discusses this in more detail.

Also, while MD5 is "too fast", you can still use it on legacy systems (and poorly featured browser hashing libraries) with appropriate [url=http://en.wikipedia.org/wiki/Key_stretching]key stretching[/key]. That said, using a modern hash like SHA256 is better.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group