Passwords: Pepper makes everything taste better #552
Comments
|
It would be helpful if you create a pull request with the necessary changes. |
|
One problem I see is that it is not straight forward how to make the transition of installations without pepper to ones with pepper. Changing the pepper value afterwards invalidates all passwords. Unlike the move from md5 hashed passwords to more secure algorithms, there is no indication in the hash string out of the box, that it was created before the introduction of the pepper value. We might decorate the hash string with something to indicate this and strip it off again for the verification, but this indicator must be chosen carefully (I guess prepending another $ in particular is a bad choice ;-) ) Anyhow, there is some pseudo code provided in this comment which may help with the implementation once the problem is solved how to distinguish peppered hashes from older ones... thanks @Forshock for the hint with password_needs_rehash |
Enhance the password hashing with pepper function. Significantly increases complexity to crack passwords (according to NIST and other researchers), with a few extra lines to the doPasswordEncode and doCheckPassword functions and install procedure (create pepper in config.php?).
Additionally, on the doCheckPassword function there is a method for updating the older MD5 passwords, but also should take into account he PHP hash updates that will eventually arrive. See password_needs_rehash for details.
The text was updated successfully, but these errors were encountered: