rfc:password_hash_spec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
rfc:password_hash_spec [2014/07/23 04:23] – created yohgakirfc:password_hash_spec [2018/03/01 23:20] (current) – RFC is Under Discussion carusogabriel
Line 4: Line 4:
   * DateModified: 2014-07-23   * DateModified: 2014-07-23
   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>
-  * Status: Draft +  * Status: Under Discussion 
   * First Published at: http://wiki.php.net/rfc/password_hash_spec   * First Published at: http://wiki.php.net/rfc/password_hash_spec
  
Line 12: Line 12:
 Unlike other hash functions, Blowfish is designed to take limited length as its parameter. Bytes longer than 72 bytes are truncated to compute hash value. Current implementation does not have check against too long parameter. Therefore, too long parameter is silently ignored. Average users expect "hash" functions compute hash value based on parameter, not part of it. Unlike other hash functions, Blowfish is designed to take limited length as its parameter. Bytes longer than 72 bytes are truncated to compute hash value. Current implementation does not have check against too long parameter. Therefore, too long parameter is silently ignored. Average users expect "hash" functions compute hash value based on parameter, not part of it.
  
-Before PHP 5.3, crypt() could not be used reliably because it didn't have required hash function internally. Therefore, code like below is used commonly. +Before PHP 5.3, crypt() could not be used reliably because it didn't have required hash function internally. Therefore, code like below is used commonly. Note: According to this [[http://w3techs.com/technologies/details/pl-php/5/all|survey]] 20% of PHP users are still using PHP4 and 25% of PHP5 users are using pre PHP5.3.
  
-<code>+<code php>
 <?php <?php
 $password_hash = sha1(SOME_STATIC_SECRET_SALT . $_POST['password']); $password_hash = sha1(SOME_STATIC_SECRET_SALT . $_POST['password']);
Line 26: Line 26:
 If user writes code like below, password_hash() does not work for authentication when SOME_STATIC_SECRET_SALT is long enough. (e.g. const = SOME_STATIC_SECRET_SLAT = hash('sha512', 'some secret string'); hash('sha512', 'str') returns 128 bytes which is longer than 72.) If user writes code like below, password_hash() does not work for authentication when SOME_STATIC_SECRET_SALT is long enough. (e.g. const = SOME_STATIC_SECRET_SLAT = hash('sha512', 'some secret string'); hash('sha512', 'str') returns 128 bytes which is longer than 72.)
  
-<code>+<code php>
 <?php <?php
 // $password_hash = password_hash(SOME_STATIC_SECRET_SALT . $_POST['password']) is saved in password DB // $password_hash = password_hash(SOME_STATIC_SECRET_SALT . $_POST['password']) is saved in password DB
Line 37: Line 37:
 </code> </code>
  
-In general, users are recommended to use crypt related functions as is and this is documented currently. However, SOME_STATIC_SECRET_SALT is still useful as mitigation when password database is stolen while SOME_STATIC_SECRET_SALT is _not_ stolen. (e.g. Stolen password DB via SQL injection, stolen password db backup, etc) Therefore, some organizations require to add secret salt for an additional mitigation.+In general, users are recommended to use crypt related functions as is and this is documented currently. However, SOME_STATIC_SECRET_SALT is still useful as mitigation when password database is stolen while SOME_STATIC_SECRET_SALT is _not_ stolen. (e.g. Stolen password DB via SQL injection, stolen password db backup, etc) Therefore, some organizations require to add secret salt for an additional mitigation. 72 bytes limits is real problem in this case.
    
  
Line 51: Line 51:
   - Add PASSWORD_SHA512 hashing to password_hash() that is compatible with crypt-sha512   - Add PASSWORD_SHA512 hashing to password_hash() that is compatible with crypt-sha512
  
-password hashing related documentation:+Password hashing related documentation: 
 + 
 +Recommend plain use of password_hash() with less than 72 bytes.
  
 In case we decided not to have PASSWORD_SHA512,  In case we decided not to have PASSWORD_SHA512, 
  
- - Suggest PBKDF2 SHA512 functions ([[http://jp2.php.net/manual/en/function.hash-pbkdf2.php|hash]] or [[http://jp2.php.net/manual/en/function.openssl-pbkdf2.php|openssl]]) as an alternative. (rounds larger than 10,000)+  - Suggest PBKDF2 SHA512 functions ([[http://jp2.php.net/manual/en/function.hash-pbkdf2.php|hash]] or [[http://jp2.php.net/manual/en/function.openssl-pbkdf2.php|openssl]]) as an alternative. (rounds larger than 10,000
 +  - Suggest workaround (not recommend) by prehash with raw SHA512. (e.g. password_hash(hash('sha512', SOME_STATIC_SCRET_SALT . $password), PASSWORD_DEFAULT);)
  
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
  
-E_NOTICE may break apps+password_hash() E_NOTICE may break apps.
  
 ===== Proposed PHP Version(s) ===== ===== Proposed PHP Version(s) =====
Line 69: Line 72:
 ==== To Existing Extensions ==== ==== To Existing Extensions ====
  
-string+  * [[http://jp2.php.net/manual/en/book.password.php|Password Hashing]]
  
  
 ==== New Constants ==== ==== New Constants ====
  
-PASSWORD_SHA512 for crypt-sha512+  * PASSWORD_SHA512 for crypt-sha512
  
 ==== php.ini Defaults ==== ==== php.ini Defaults ====
rfc/password_hash_spec.1406089391.txt.gz · Last modified: 2017/09/22 13:28 (external edit)

Page Tools