PHP 5.5 should reduce password vulnerability
Posted on: 09/13/2012 04:47 PM
[
Comments
]
Version 5.5 of PHP will come with an API designed to allow administrators and developers to safely store passwords. With its help, developers will be able to use just one line of code to generate a secure salted password hash using bcrypt.
$hash = password_hash($password, PASSWORD_DEFAULT);
A salt is not needed; it will be auto-generated by the API if not present and added as a random component to the password. Verifying the password is equally easy:
password_verify($password, $hash);
Should the generated hashes land in the wrong hands, the thieves should only be able to reconstruct the corresponding plain text passwords with considerable effort, providing of course that the original passwords are long enough. The hash method Bcrypt is one that is very computationally intensive and requires a lot of memory, making it difficult to crack with GPUs. A system with eight CPU cores can generate around 5,000 hashes per second and a current GPU delivers similar results. By comparison, hashing with SHA1 would deliver numbers in the tens of millions.
Through the use of salts, the use of rainbow tables is also limited. If the user wants, the hash function call can not only specify its own salt but also adjust the complexity (cost) of the Bcrypt method or change the hashing method entirely. This information is stored along with the hashed password.
In the past, database extracts from web sites that contain the passwords of users as unsalted hashes or even in plain text have been published on the internet. With the new PHP APIs, administrators and developers should have no more excuses for such sloppiness it couldn't be much easier. Users who do not want to wait until PHP 5.5 arrives can download the in-development password library.
$hash = password_hash($password, PASSWORD_DEFAULT);
A salt is not needed; it will be auto-generated by the API if not present and added as a random component to the password. Verifying the password is equally easy:
password_verify($password, $hash);
Should the generated hashes land in the wrong hands, the thieves should only be able to reconstruct the corresponding plain text passwords with considerable effort, providing of course that the original passwords are long enough. The hash method Bcrypt is one that is very computationally intensive and requires a lot of memory, making it difficult to crack with GPUs. A system with eight CPU cores can generate around 5,000 hashes per second and a current GPU delivers similar results. By comparison, hashing with SHA1 would deliver numbers in the tens of millions.
Through the use of salts, the use of rainbow tables is also limited. If the user wants, the hash function call can not only specify its own salt but also adjust the complexity (cost) of the Bcrypt method or change the hashing method entirely. This information is stored along with the hashed password.
In the past, database extracts from web sites that contain the passwords of users as unsalted hashes or even in plain text have been published on the internet. With the new PHP APIs, administrators and developers should have no more excuses for such sloppiness it couldn't be much easier. Users who do not want to wait until PHP 5.5 arrives can download the in-development password library.
Comments
