rfc:password_hash_spec
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
rfc:password_hash_spec [2014/07/23 05:21] – yohgaki | rfc:password_hash_spec [2018/03/01 23:20] (current) – RFC is Under Discussion carusogabriel | ||
---|---|---|---|
Line 4: | Line 4: | ||
* DateModified: | * DateModified: | ||
* Author: Yasuo Ohgaki < | * Author: Yasuo Ohgaki < | ||
- | * Status: | + | * Status: |
* First Published at: http:// | * First Published at: http:// | ||
Line 37: | Line 37: | ||
</ | </ | ||
- | In general, users are recommended to use crypt related functions as is and this is documented currently. However, SOME_STATIC_SECRET_SALT is still useful as mitigation when password database is stolen while SOME_STATIC_SECRET_SALT is _not_ stolen. (e.g. Stolen password DB via SQL injection, stolen password db backup, etc) Therefore, some organizations require to add secret salt for an additional mitigation. | + | In general, users are recommended to use crypt related functions as is and this is documented currently. However, SOME_STATIC_SECRET_SALT is still useful as mitigation when password database is stolen while SOME_STATIC_SECRET_SALT is _not_ stolen. (e.g. Stolen password DB via SQL injection, stolen password db backup, etc) Therefore, some organizations require to add secret salt for an additional mitigation. 72 bytes limits is real problem in this case. |
Line 51: | Line 51: | ||
- Add PASSWORD_SHA512 hashing to password_hash() that is compatible with crypt-sha512 | - Add PASSWORD_SHA512 hashing to password_hash() that is compatible with crypt-sha512 | ||
- | password | + | Password |
Recommend plain use of password_hash() with less than 72 bytes. | Recommend plain use of password_hash() with less than 72 bytes. | ||
Line 58: | Line 58: | ||
- Suggest PBKDF2 SHA512 functions ([[http:// | - Suggest PBKDF2 SHA512 functions ([[http:// | ||
- | - Suggest (not recommend) prehash with raw SHA512. (e.g. password_hash(hash(' | + | - Suggest |
Line 72: | Line 72: | ||
==== To Existing Extensions ==== | ==== To Existing Extensions ==== | ||
- | string | + | * [[http:// |
==== New Constants ==== | ==== New Constants ==== | ||
- | PASSWORD_SHA512 for crypt-sha512 | + | * PASSWORD_SHA512 for crypt-sha512 |
==== php.ini Defaults ==== | ==== php.ini Defaults ==== |
rfc/password_hash_spec.1406092878.txt.gz · Last modified: 2017/09/22 13:28 (external edit)