addressalign-toparrow-leftarrow-rightbackbellblockcalendarcameraccwcheckchevron-downchevron-leftchevron-rightchevron-small-downchevron-small-leftchevron-small-rightchevron-small-upchevron-upcircle-with-checkcircle-with-crosscircle-with-pluscontroller-playcrossdots-three-verticaleditemptyheartexporteye-with-lineeyefacebookfolderfullheartglobegmailgooglegroupshelp-with-circleimageimagesinstagramFill 1linklocation-pinm-swarmSearchmailmessagesminusmoremuplabelShape 3 + Rectangle 1ShapeoutlookpersonJoin Group on CardStartprice-ribbonprintShapeShapeShapeShapeImported LayersImported LayersImported Layersshieldstartickettrashtriangle-downtriangle-uptwitteruserwarningyahoo

Re: [brisbane-webtech] Re: on password encryption and storage

From: Scott
Sent on: Saturday, July 21, 2012 8:34 AM
I'd avocate for education and against "here's code to solve your problem". After dealing with other languages I can truly say I find the php manual to be exceptional amongst it's peers. There's not much I haven't found to be extremely well documented.

specifically on md5...
"It is not recommended to use this function to secure passwords, due to the fast nature of this hashing algorithm. See here for details."

They clearly point you in a direction...

The first hashing function is crypt(), which natively supports several hashing algorithms. When using this function, you are guaranteed that the algorithm you select is available, as PHP contains native implementations of each supported algorithm, in case one or more are not supported by your system.

ok, so personal opinion starts here, I'd be absolutely against introducing a third party libary with it's security and maintainability implications unless there's a definite business requirement for introducing it (and I'm struggling to see one). We all remember the debian key generator, a third party library isn't going to receive patches from your distribution.

The examples clearly document the solution I'd take:

$password=crypt('rasmuslerdorf', '$2a$07$usesomesillystringforsalt$'); //specifically use blowfish, but randomise the salt
if (crypt($user_input, $password) == $password) { echo "Password verified!"; }

Cheers, Scott.

On Fri, Jul 20, 2012 at 9:44 AM, Tim Robinson <[address removed]> wrote:
For someone looking for an easy solution they can implement quickly I'd recommend using PHPAss from

It's a hashing library that has already been scrutinized by many thousands of people, is used in Wordpress and is really easy to use. 

One of the most important things it does is uses an algorithm that takes anywhere up to a second (depending on your settings) to verify a users password. This is important because it means if anyone ever gets a copy of your database they can't try a million+ passwords a second like they can with normal hashing algorithms, instead it takes them a second per password making it almost impossible for them to brute force crack your users passwords. 

On Thu, Jul 19, 2012 at 12:52 PM, Darren Mackay <[address removed]> wrote:

Having been a code auditor in a previous life... 

Note that new laws are coming in to place in Australia that will force everybody 
| to be quite a bit more responsible with user data. Best to keep it secure. 

Also mind that CREloaded somehow passed its PCI DSS certification with this 
| code in place, while it clearly breaches basic safety guidelines. So, it slipped 
| through. PCI DSS and other certification on e-commerce components are *not* 
| a guarantee that the code is good/safe. 

Unfortunately there is a *lot* of disillusionment over what the various security auditors and accreditations are.

Even with an experienced auditor involved, it is *extremely easy* to get a client over the line, regardless of what type of audit is being conducted.

That said, it shouldn't be... but commercial realities of 2012 and requirements of performing the audit for a given price / time frame / etc tend to overshadow good intent.

Relevant regulatory requirements, both existing and planned, aren't worth the paper they are written on unfortunately - btu I think a lot on this list already know that (preaching to the converted is easy)


Darren Mackay
Enterprise Research, Forensics and Consulting
mobile: [masked]
twitter: @darrenmackay
email / xmpp: [address removed]

Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
This message was sent by Darren Mackay ([address removed]) from Brisbane Web Tech.
To learn more about Darren Mackay, visit his/her member profile
Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]

Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
This message was sent by Tim Robinson ([address removed]) from Brisbane Web Tech.
To learn more about Tim Robinson, visit his/her member profile

Our Sponsors

People in this
Meetup are also in:

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy