PHP 5.5 should reduce password sloppiness

PHP 5.5 should reduce password sloppiness.

PHP iconVersion 5.5 of PHP will come with an API designed to allow administrators and developers to safely store passwords. With its help, developers will be able to use just one line of code to generate a secure salted password hash using bcrypt.

$hash = password_hash($password, PASSWORD_DEFAULT);

A salt is not needed; it will be auto-generated by the API if not present and added as a random component to the password. Verifying the password is equally easy:

password_verify($password, $hash);

Should the generated hashes land in the wrong hands, the thieves should only be able to reconstruct the corresponding plain text passwords with considerable effort, providing of course that the original passwords are long enough. The hash method Bcrypt is one that is very computationally intensive and requires a lot of memory, making it difficult to crack with GPUs. A system with eight CPU cores can generate around 5,000 hashes per second and a current GPU delivers similar results. By comparison, hashing with SHA1 would deliver numbers in the tens of millions.

Through the use of salts, the use of rainbow tables is also limited. If the user wants, the hash function call can not only specify its own salt but also adjust the complexity (cost) of the Bcrypt method or change the hashing method entirely. This information is stored along with the hashed password.

In the past, database extracts from web sites that contain the passwords of users as unsalted hashes or even in plain text have been published on the internet. With the new PHP APIs, administrators and developers should have no more excuses for such sloppiness – it couldn’t be much easier. Users who do not want to wait until PHP 5.5 arrives can download the in-development password library.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s