rfc:password_hash_spec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
rfc:password_hash_spec [2014/07/23 05:21] yohgakirfc:password_hash_spec [2018/03/01 23:20] (current) – RFC is Under Discussion carusogabriel
Line 4: Line 4:
   * DateModified: 2014-07-23   * DateModified: 2014-07-23
   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>
-  * Status: Draft +  * Status: Under Discussion 
   * First Published at: http://wiki.php.net/rfc/password_hash_spec   * First Published at: http://wiki.php.net/rfc/password_hash_spec
  
Line 37: Line 37:
 </code> </code>
  
-In general, users are recommended to use crypt related functions as is and this is documented currently. However, SOME_STATIC_SECRET_SALT is still useful as mitigation when password database is stolen while SOME_STATIC_SECRET_SALT is _not_ stolen. (e.g. Stolen password DB via SQL injection, stolen password db backup, etc) Therefore, some organizations require to add secret salt for an additional mitigation.+In general, users are recommended to use crypt related functions as is and this is documented currently. However, SOME_STATIC_SECRET_SALT is still useful as mitigation when password database is stolen while SOME_STATIC_SECRET_SALT is _not_ stolen. (e.g. Stolen password DB via SQL injection, stolen password db backup, etc) Therefore, some organizations require to add secret salt for an additional mitigation. 72 bytes limits is real problem in this case.
    
  
Line 51: Line 51:
   - Add PASSWORD_SHA512 hashing to password_hash() that is compatible with crypt-sha512   - Add PASSWORD_SHA512 hashing to password_hash() that is compatible with crypt-sha512
  
-password hashing related documentation:+Password hashing related documentation:
  
 Recommend plain use of password_hash() with less than 72 bytes. Recommend plain use of password_hash() with less than 72 bytes.
Line 58: Line 58:
  
   - Suggest PBKDF2 SHA512 functions ([[http://jp2.php.net/manual/en/function.hash-pbkdf2.php|hash]] or [[http://jp2.php.net/manual/en/function.openssl-pbkdf2.php|openssl]]) as an alternative. (rounds larger than 10,000)   - Suggest PBKDF2 SHA512 functions ([[http://jp2.php.net/manual/en/function.hash-pbkdf2.php|hash]] or [[http://jp2.php.net/manual/en/function.openssl-pbkdf2.php|openssl]]) as an alternative. (rounds larger than 10,000)
-  - Suggest (not recommend) prehash with raw SHA512. (e.g. password_hash(hash('sha512', SOME_STATIC_SCRET_SALT . $password), PASSWORD_DEFAULT);)+  - Suggest workaround (not recommend) by prehash with raw SHA512. (e.g. password_hash(hash('sha512', SOME_STATIC_SCRET_SALT . $password), PASSWORD_DEFAULT);)
  
  
Line 72: Line 72:
 ==== To Existing Extensions ==== ==== To Existing Extensions ====
  
-string+  * [[http://jp2.php.net/manual/en/book.password.php|Password Hashing]]
  
  
 ==== New Constants ==== ==== New Constants ====
  
-PASSWORD_SHA512 for crypt-sha512+  * PASSWORD_SHA512 for crypt-sha512
  
 ==== php.ini Defaults ==== ==== php.ini Defaults ====
rfc/password_hash_spec.1406092878.txt.gz · Last modified: 2017/09/22 13:28 (external edit)

Page Tools