New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use password_hash() for password hashing #4665
Comments
cash wrote on 42515044-08-01 It would be a good time to redo password hashing when we up the requirement to PHP 5.3 since PHP added default implementations of Blowfish. Also, this is not as easy as just adding library - we need to think through backward compatibility, forward compatibility for future changes in hashing, making this more pluggable, portability, Windows support, etc. |
Milestone changed to |
trac user sembrestels wrote on 42685890-08-24 For backwards compatibility we can:
|
trac user mrclay wrote on 42686786-09-05
cash, when BC issues would blocking the above steps? Re: hash algos, Blowfish is ideal, but PBKDF2 with 10K iterations of sha256 is plenty secure. Plenty of libs out there that will do whatever's available and the algo is stored in the hash. I'd prefer this not be pluggable; most attempts I see to "improve the hashing" usually add little security and could easily break something. I can see it now: "This plugin allows you to e-mail users their passwords by storing them with base 64 encryption" :) |
cash wrote on 42687730-02-23 I want to store what hashing algorithm was used in hash field so that we'll have backward/forward compatibility. The switchover strategy should really be a site decision. I would prefer something that works transparently for sites - all new users get the new hashes, anyone who changes a password gets the new hash, everyone else stays with the previous hash. We can offer a small plugin that forces the change for all users for those sites that want that. |
trac user mrclay wrote on 42687755-02-12 Replying to cash:
First char of all new hashes would be The switchover method you describe sounds reasonable to me. |
I'd really like to solve this for 1.9. Plan is to use password_hash and, for PHP < 5.3.7, fallback to PhPass. A simple wrapper will sniff if the hash is for PhPass (begins with To add to above, at every login we can replace old legacy hashes with new ones. |
Please can anybody say what the current status on this issue is? Thank you How actual is this community entry? |
This won't be in 1.9.X. It will likely go into 1.10.0. |
Ok. thanks. generate_random_cleartext_password() from |
You can write a plugin that takes over user creation and authentication, but you can't override those specific functions with a plugin. |
It is hard to do but I did a plugin to do it some time ago: |
In 1.10 let's at least take the 1st step of saving new hashes beside the legacy ones. If we can't finish full migration by 1.10 at least the later switch would have most accounts ready. /cc @ewinslow |
…or of a setPassword() method that makes sure everything is done.
PR #7495 for a start. |
Happy to review any PRs |
…or of a setPassword() method that makes sure everything is done.
The PR I submitted just added a separate column for the new hashes. Having old and new hashes in the same column seems unwise to me, particularly if we're going to consider setting ElggUser salt/password as part of the public API (until 2.0 I hope) and allowing logins to use either hash. With the new functions I don't see the benefit of keeping track of the hashing algorithm or exposing it to devs. It should be a black box and if devs want to tinker they can use password_get_info() to sniff the algo. Decisions to make:
|
I haven't looked at this yet, but I would say just as a matter of opinion:
|
…or of a setPassword() method that makes sure everything is done.
…or of a setPassword() method that makes sure everything is done.
This gradually migrates users to modern hashes as they log in; deprecates setting the salt/password attributes in favor of a new setPassword() method (setting salt/password continues to work but will revert the user to the legacy MD5 hashing); and moves core password functionality to a PasswordService object. Fixes Elgg#4665
This gradually migrates users to modern hashes as they log in; deprecates setting the salt/password attributes in favor of a new setPassword() method (setting salt/password continues to work but will revert the user to the legacy MD5 hashing); and moves core password functionality to a PasswordService object. Fixes Elgg#4665
This gradually migrates users to modern hashes as they log in; deprecates setting the salt/password attributes in favor of a new setPassword() method (setting salt/password continues to work but will revert the user to the legacy MD5 hashing); and moves core password functionality to a PasswordService object. Fixes Elgg#4665
Closing this as #7594 is merged |
Original ticket http://trac.elgg.org/ticket/4665 on 42514878-02-25 by trac user mrclay, assigned to unknown.
Elgg version: 1.8.6
http://www.openwall.com/phpass/
The text was updated successfully, but these errors were encountered: