rfc:password_hash_spec
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
rfc:password_hash_spec [2014/07/23 05:14] – yohgaki | rfc:password_hash_spec [2018/03/01 23:20] (current) – RFC is Under Discussion carusogabriel | ||
---|---|---|---|
Line 4: | Line 4: | ||
* DateModified: | * DateModified: | ||
* Author: Yasuo Ohgaki < | * Author: Yasuo Ohgaki < | ||
- | * Status: | + | * Status: |
* First Published at: http:// | * First Published at: http:// | ||
Line 37: | Line 37: | ||
</ | </ | ||
- | In general, users are recommended to use crypt related functions as is and this is documented currently. However, SOME_STATIC_SECRET_SALT is still useful as mitigation when password database is stolen while SOME_STATIC_SECRET_SALT is _not_ stolen. (e.g. Stolen password DB via SQL injection, stolen password db backup, etc) Therefore, some organizations require to add secret salt for an additional mitigation. | + | In general, users are recommended to use crypt related functions as is and this is documented currently. However, SOME_STATIC_SECRET_SALT is still useful as mitigation when password database is stolen while SOME_STATIC_SECRET_SALT is _not_ stolen. (e.g. Stolen password DB via SQL injection, stolen password db backup, etc) Therefore, some organizations require to add secret salt for an additional mitigation. 72 bytes limits is real problem in this case. |
Line 51: | Line 51: | ||
- Add PASSWORD_SHA512 hashing to password_hash() that is compatible with crypt-sha512 | - Add PASSWORD_SHA512 hashing to password_hash() that is compatible with crypt-sha512 | ||
- | password | + | Password |
+ | |||
+ | Recommend plain use of password_hash() with less than 72 bytes. | ||
In case we decided not to have PASSWORD_SHA512, | In case we decided not to have PASSWORD_SHA512, | ||
- | - Suggest PBKDF2 SHA512 functions ([[http:// | + | |
+ | - Suggest workaround (not recommend) by prehash with raw SHA512. (e.g. password_hash(hash(' | ||
===== Backward Incompatible Changes ===== | ===== Backward Incompatible Changes ===== | ||
- | E_NOTICE may break apps | + | password_hash() |
===== Proposed PHP Version(s) ===== | ===== Proposed PHP Version(s) ===== | ||
Line 69: | Line 72: | ||
==== To Existing Extensions ==== | ==== To Existing Extensions ==== | ||
- | string | + | * [[http:// |
==== New Constants ==== | ==== New Constants ==== | ||
- | PASSWORD_SHA512 for crypt-sha512 | + | * PASSWORD_SHA512 for crypt-sha512 |
==== php.ini Defaults ==== | ==== php.ini Defaults ==== |
rfc/password_hash_spec.txt · Last modified: 2018/03/01 23:20 by carusogabriel