Password hashing

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Password hashing

David Muir-2
I've been working on a project where I've started using phpass for
hashing passwords and doing password checks. I was about to suggest that
we should have a crypt/hash package for ZF2, and then realised it
already exists, and even exists in ZF1! But there's no mention of it in
the manual except one tiny mention on the xmlrpc client page.

Is there a reason why they're undocumented? Are they only meant for
internal ZF usage? I noticed that it doesn't use php's crypt function,
but uses hash instead.

In any case, it would be great to have something along the lines of
phpass for ZF which would also work with Zend_Auth.

Is this something that would be better off as a module, or in ZF proper?

Cheers,
David

--
List: [hidden email]
Info: http://framework.zend.com/archives
Unsubscribe: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Password hashing

EvanDotPro
On Wed, Nov 23, 2011 at 6:28 PM, David Muir <[hidden email]> wrote:

> I've been working on a project where I've started using phpass for
> hashing passwords and doing password checks. I was about to suggest that
> we should have a crypt/hash package for ZF2, and then realised it
> already exists, and even exists in ZF1! But there's no mention of it in
> the manual except one tiny mention on the xmlrpc client page.
>
> Is there a reason why they're undocumented? Are they only meant for
> internal ZF usage? I noticed that it doesn't use php's crypt function,
> but uses hash instead.
>
> In any case, it would be great to have something along the lines of
> phpass for ZF which would also work with Zend_Auth.
>
> Is this something that would be better off as a module, or in ZF proper?

Personally, I handle it myself in my ZF2 module, EdpUser
(https://github.com/EvanDotPro/EdpUser) using PHP's crypt(). I have it
documented in the readme if you want to take a look.

As for Zend\Crypt, I personally haven't really looked into it much. I
didn't see support for crypt() in there, so I decided to roll my own,
as the implementation is actually fairly simple. As I implemented it,
nothing really stood out to me as needing enough abstraction to
justify a framework component (or sub component), but I suppose that's
subjective. That said, I wouldn't be _against_ adding some simple
abstraction around crypt() into Zend\Crypt, but I also haven't really
looked at the code or the original purpose behind Zend\Crypt in the
first place, so I couldn't tell you if it's out of scope for that
component or anything until I actually take some  (but hey, they both
say 'crypt', heh).

--
Evan Coury

--
List: [hidden email]
Info: http://framework.zend.com/archives
Unsubscribe: [hidden email]


Reply | Threaded
Open this post in threaded view
|

R: [zf-contributors] Password hashing

Enrico Zimuel-2
Hi David and Evan,

i would like to review the Zend\Crypt component to propose some new functionalities like bcrypt and also encryption/decryption scheme with Mcrypt + HMAC.
I think we should offer a better API for bcrypt (compared with the native one of $2a$ ?!) especially to help people to estimate the workload of the algorithm. As you know, if you use the wrong workload factor (e.g. 10, that is low) the use of bcrypt is not secure anymore.
Recently I did some talks about Cryptography in PHP and I play with the bcrypt implementation of PHP (see http://www.slideshare.net/e.zimuel/cryptography-in-php-use-cases, from slide 13).
Anyway I looked briefly at the implementation of Evan and it looks very good.
I will send an update in the mailing list about the Zend\Crypt asap.
 

Enrico Zimuel
Senior PHP Engineer     | [hidden email]
Zend Framework Team  | http://framework.zend.com
Zend Technologies Ltd.
http://www.zend.com
________________________________________
Inizio: Evan Coury [[hidden email]]
Inviato: giovedì 24 novembre 2011 5.30
Fine: David Muir
Cc: [hidden email]
Oggetto: Re: [zf-contributors] Password hashing

On Wed, Nov 23, 2011 at 6:28 PM, David Muir <[hidden email]> wrote:

> I've been working on a project where I've started using phpass for
> hashing passwords and doing password checks. I was about to suggest that
> we should have a crypt/hash package for ZF2, and then realised it
> already exists, and even exists in ZF1! But there's no mention of it in
> the manual except one tiny mention on the xmlrpc client page.
>
> Is there a reason why they're undocumented? Are they only meant for
> internal ZF usage? I noticed that it doesn't use php's crypt function,
> but uses hash instead.
>
> In any case, it would be great to have something along the lines of
> phpass for ZF which would also work with Zend_Auth.
>
> Is this something that would be better off as a module, or in ZF proper?

Personally, I handle it myself in my ZF2 module, EdpUser
(https://github.com/EvanDotPro/EdpUser) using PHP's crypt(). I have it
documented in the readme if you want to take a look.

As for Zend\Crypt, I personally haven't really looked into it much. I
didn't see support for crypt() in there, so I decided to roll my own,
as the implementation is actually fairly simple. As I implemented it,
nothing really stood out to me as needing enough abstraction to
justify a framework component (or sub component), but I suppose that's
subjective. That said, I wouldn't be _against_ adding some simple
abstraction around crypt() into Zend\Crypt, but I also haven't really
looked at the code or the original purpose behind Zend\Crypt in the
first place, so I couldn't tell you if it's out of scope for that
component or anything until I actually take some  (but hey, they both
say 'crypt', heh).

--
Evan Coury

--
List: [hidden email]
Info: http://framework.zend.com/archives
Unsubscribe: [hidden email]



--
List: [hidden email]
Info: http://framework.zend.com/archives
Unsubscribe: [hidden email]