Opened 11 months ago
Last modified 9 months ago
#4665 new Enhancement
Use PHPass for password hashing
| Reported by: | mrclay | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Near Term Future Release |
| Component: | Core | Version: | 1.8.6 |
| Severity: | minor | Keywords: | |
| Cc: | brett@… | Difficulty: |
Description
Change History (5)
comment:1 Changed 11 months ago by cash
- Milestone changed from Needs Review to Near Term Future Release
comment:2 Changed 9 months ago by sembrestels
For backwards compatibility we can:
- Reset all passwords and save new ones with the new hash algorithm.
- Rehash existing passwords with the new algorithm and hash twice new passwords (one with md5 and the other with the new algorithm).
comment:3 Changed 9 months ago by mrclay
- Add new hash strategy (we have good options in 5.2--see below)
- Add a second, wider password_hash column and start saving new hashes during log ins (store both)
- Add admin process to disable legacy passwords (one way: removes the password and salt columns). The admin would then have the option to send every user without a new hash a customizable message with a reset pwd link.
@cash, when BC issues would blocking the above steps?
Re: hash algos, Blowfish is ideal, but PBKDF2 with 10K iterations of sha256 is plenty secure. Plenty of libs out there that will do whatever's available and the algo is stored in the hash.
I'd prefer this not be pluggable; most attempts I see to "improve the hashing" usually add little security and could easily break something. I can see it now: "This plugin allows you to e-mail users their passwords by storing them with base 64 encryption" :)
comment:4 follow-up: ↓ 5 Changed 9 months ago by cash
I want to store what hashing algorithm was used in hash field so that we'll have backward/forward compatibility.
The switchover strategy should really be a site decision. I would prefer something that works transparently for sites - all new users get the new hashes, anyone who changes a password gets the new hash, everyone else stays with the previous hash. We can offer a small plugin that forces the change for all users for those sites that want that.
comment:5 in reply to: ↑ 4 Changed 9 months ago by mrclay
Replying to cash:
I want to store what hashing algorithm was used in hash field
First char of all new hashes would be $, otherwise it's a legacy hash.
The switchover method you describe sounds reasonable to me.
It would be a good time to redo password hashing when we up the requirement to PHP 5.3 since PHP added default implementations of Blowfish.
Also, this is not as easy as just adding library - we need to think through backward compatibility, forward compatibility for future changes in hashing, making this more pluggable, portability, Windows support, etc.