rfc:password_hash

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
rfc:password_hash [2012/09/12 14:19] – Fix timing attack broken link ircmaxellrfc:password_hash [2017/09/22 13:28] (current) – external edit 127.0.0.1
Line 3: Line 3:
   * Date: 2012-06-26   * Date: 2012-06-26
   * Author: Anthony Ferrara <ircmaxell@php.net>   * Author: Anthony Ferrara <ircmaxell@php.net>
-  * Status: Accepted+  * Status: Implemented
   * First Published at: http://wiki.php.net/rfc/password_hash   * First Published at: http://wiki.php.net/rfc/password_hash
  
Line 27: Line 27:
 ===== Common Misconceptions ===== ===== Common Misconceptions =====
  
-==== Salts Need To Be Cryptographically Secure ====+==== Salts Need To Be True Random ====
  
-Salts exist for a single reason: To make it so that any time (CPU effort) spent cracking a single password hash cannot be amortized across multiple hashes. That means that attacking a single password hash will have no impact on the time it will take attacking another hash. Based on that reason, salts only need to be unique in a system. There is no requirement for them to be cryptographically secure.+Salts exist for a single reason: To make it so that any time (CPU effort) spent cracking a single password hash cannot be amortized across multiple hashes. That means that attacking a single password hash will have no impact on the time it will take attacking another hash. Based on that reason, salts only need to be statistically globally unique. There is no requirement for them to be true random (as you would need for an encryption key). This means that ///dev/urandom// is acceptable, while //mt_rand()// and //rand()// are not (except as fallbacks).
  
 ==== Hash(password + salt) Is Fine ==== ==== Hash(password + salt) Is Fine ====
Line 422: Line 422:
   * 1.3 - Open Voting   * 1.3 - Open Voting
   * 1.4 - Close Voting - Moving To Accepted   * 1.4 - Close Voting - Moving To Accepted
 +  * 1.5 - Implemented!
 +  * 1.5.1 - Fine tune wording of "Cryptographically Secure Salt Requirement"
rfc/password_hash.1347459550.txt.gz · Last modified: 2017/09/22 13:28 (external edit)