Jump to content

Recommended Posts

Used to be a good option, but don't know anymore as password_hash() is now available.

 

Agree?

 

I understand that I shouldn't ever manually salt and disable the functions salting.  That being said, is there any reason to add a bit extra to the user's password (such as an internal ID and some random constant)?

PHPass is long obsolete and seems to have been abandoned by its author. The last version is from 2006.

 

While the script is certainly mature, it's also full of unnecessary and potentially dangerous legacy stuff like a fallback to MD5. In addition to that, the code is very cryptic (no pun intended) due to lots of low-level byte fiddling.

 

So, no, I wouldn't use PHPass in new applications. The author did a great job at introducing bcrypt to the PHP world (the underlying C implementation is also from him), but now we simply have better libraries.

 

 

 

I understand that I shouldn't ever manually salt and disable the functions salting.  That being said, is there any reason to add a bit extra to the user's password (such as an internal ID and some random constant)?

 

I'm not sure what that has to do with PHPass.

 

Theoretically, it can make sense to mix a secret key into the hashes if the key and the hashes are stored separately (ideally on two different machines). This forces an attacker to compromise both the database and the key storage.

 

However, the concrete implementation is tricky. Do you have an extra server at hand? If not, then the whole approach is rather questionable, because the key will be sitting right next to the hashes. How do you get around the input limit of bcrypt? As you probably know, it can only process up to 56 bytes. If you reserve, say, 16 bytes for the key, then the actual password is limited to merely 40 bytes, which is an actual problem for passphrases. This can be fixed by reducing the input with an HMAC before it's hashed, but this would be highly experimental and risky.

 

So I'd stick to plain bcrypt.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.