Yet another question about salt+hashing

[xyph]

You're grasping at straws, and I don't believe you have a strong understanding of the topic in debate.

 

Yes there are more ways. You could store the password in plain text if you'd like, but it's not a good idea. If you want to use two-way encryption, go right ahead, but it's not a good idea. You can think anything you want, it doesn't make it good advice.

 

It's about proving which is the best solution to chose for any given problem. I've backed up my choice with a peer-reviewed, widely-implemented class, example code, and an article that explains how to implement it - well beyond simply 'using' the class.

 

You've provided fluff and opinions, based around the idea that there's always more than one way to do something, without actually suggesting a method that compares to my solution. crypt() was the closest you came, and I showed you that integrating it in a less-secure (salt generation) manner than PHPass is more work. You provided nothing to support your suggestions.

 

If you don't understand the underlying concepts, please stick to asking questions. To quote an administrator here, "You don't bullshit the mechanic about how you think a car should run..."

[batwimp]

I prefer ROT-13, but that's just me. 

[El Chupacodra]

I never saw someone have as much difficulty following a thread as you do.

I've emphazised time and time again that this is NOT to find the one method - I said there is more than one.

You missed mcrypt() which is also useful. Bcrypt() is also a valid alternative.

Most people can make these work, but then again most people would have gotten the point long before this post.

 

Phpass is good - that doesn't mean people don't have issues with that too:

http://www.google.se/search?client=opera&rls=sv&q=phpass+problem&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest

 

I haven't found any articles, tests or reviews that lets us compare these different methods but if you have one I'm genuinely interested in seeing it.

 

So to spell this out as clearly as it ever will be spelled out: crypt() and mcrypt() are valid hashing tools without being BETTER than phpass.

 

My second point was that what you wrote florida was rude and in no way helpful.

 

Glad to see you use an analogy on the end - except I'm not talking to the mechanic, I'm talking to the next guy waiting to have his car fixed and he's telling everyone there that the problem is always the gearbox.

[xyph]

I'm going to keep this simple and to the point.

 

bcrypt isn't a PHP function. It's implemented in PHPs crypt() function as CRYPT_BLOWFISH. It's not actually blowfish, it's Eksblowfish aka bcrypt.

PHPass is pretty much a wrapper for crypt(). It takes care of salt generation, proper syntax, and falling back if a server doesn't support CRYPT_BLOWFISH.

 

mcrypt() isn't good because it's for two-way ciphers. These are bad because you now have a public and a private key. The private key is capable of decrypting a user's password, assuming each user has their own key pairs - if not, then it's worse and a single key decrypts all user's passwords. These keys have to be accessible by the script in order to verify a user logging-in. If you lose them, along with your database, "you have a sh*t pot full of problems."

 

http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php - Top 2 Answers mentions PHPass

http://stackoverflow.com/questions/1581610/how-can-i-store-my-users-passwords-safely - Top Answer by large margin mentions PHPass

Wordpress, Vanilla, phpBB, Drupal, and other large projects use/discuss PHPass. The guy that wrote it is a security expert.

 

To your second point, I've acknowledged the fact that you aren't happy with what I wrote to floridaflatlander. Why bring it up again? If you have an issue, use the report button or PM me. That has nothing to do with this thread, so try and keep it out.

 

I may not design the car, but I'm decent at fixing it.

 

You think there's more than one method. I don't. You pick the most robust, expensive, secure hash algorithm that's reasonably portable. You then use a wrapper, to generate salts, hash, and compare. This wrapper is ideally designed by an expert to ensure proper implementation.

[xyph]

To add to the list

http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html - Links to PHPass.

[Zephni]

What have I created?

 

Though, you two having a debate has certainly helped me understand a few things