News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Timoh's Blog:
Aggressive password stretching - A solution to the low-entropy keys problem?
November 29, 2013 @ 10:15:30

While not specifically related to PHP, this new post from Timoh looks at the idea of "aggressive password stretching" to help with a common problem in password-based systems - the poor choice of passwords from the application's users.

Practically speaking, "weak" means a user generated password will not contain enough guessing entropy to resist an adversary who managed to gain the user database dump, and who is able to run efficient offline attack against leaked hashes. Here comes in the need to make adversary's job harder, which is achieved by using the above-named algorithms.

He doesn't talk much about the actual password hashing itself, instead focusing on how the password stretching - the addition of more information not from the user (usually an automated source) to increase it password entropy. He goes through some of the math about how much extra work is required for an attacker with this method and some of the problems that can come with it. He talks about how much time should be spent in the hashing of the passwords and suggests that it's "a matter of finding a sweet spot between you and attacker's patience and the security gain" and not just about the security.

A bit more on the PHP-specific side, he briefly looks at the password_hash function and some of the defaults the more current frameworks use (hint: bcrypt all the things).

Proper password hashing is clearly not enough to make sure the password hashes are not weak. The other half of the job is a good password policy. No algorithm or setting will save passwords like "password" or "12345" etc. This is why we need to make sure the user's password will initially contain enough entropy itself.
0 comments voice your opinion now!
password stretching hashing aggressive entropy solution

Link: http://timoh6.github.io/2013/11/26/Aggressive-password-stretching.html

blog comments powered by Disqus

Similar Posts

Mike Dalisay: Salt, Hash and Store Passwords Securely with Phpass

SitePoint PHP Blog: Hashing Passwords with the PHP 5.5 Password Hashing API

Arnold Daniels' Blog: Migrating from PHP4 to PHP5: A strategy for hosts

Juozas Kaziukenas' Blog: Scraping login requiring websites with cURL

Anthony Ferrara: Designing An API: Simplified Password Hashing


Community Events





Don't see your event here?
Let us know!


framework composer podcast update voicesoftheelephpant library laravel mvc release package interview community version opinion introduction security language tool series symfony

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework