News Feed
Jobs Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Timoh's Blog:
Aggressive password stretching - A solution to the low-entropy keys problem?
November 29, 2013 @ 10:15:30

While not specifically related to PHP, this new post from Timoh looks at the idea of "aggressive password stretching" to help with a common problem in password-based systems - the poor choice of passwords from the application's users.

Practically speaking, "weak" means a user generated password will not contain enough guessing entropy to resist an adversary who managed to gain the user database dump, and who is able to run efficient offline attack against leaked hashes. Here comes in the need to make adversary's job harder, which is achieved by using the above-named algorithms.

He doesn't talk much about the actual password hashing itself, instead focusing on how the password stretching - the addition of more information not from the user (usually an automated source) to increase it password entropy. He goes through some of the math about how much extra work is required for an attacker with this method and some of the problems that can come with it. He talks about how much time should be spent in the hashing of the passwords and suggests that it's "a matter of finding a sweet spot between you and attacker's patience and the security gain" and not just about the security.

A bit more on the PHP-specific side, he briefly looks at the password_hash function and some of the defaults the more current frameworks use (hint: bcrypt all the things).

Proper password hashing is clearly not enough to make sure the password hashes are not weak. The other half of the job is a good password policy. No algorithm or setting will save passwords like "password" or "12345" etc. This is why we need to make sure the user's password will initially contain enough entropy itself.
0 comments voice your opinion now!
password stretching hashing aggressive entropy solution

Link: http://timoh6.github.io/2013/11/26/Aggressive-password-stretching.html

blog comments powered by Disqus

Similar Posts

Anthony Ferrara: Designing An API: Simplified Password Hashing

Jeremy Kendall: PHP Password Hashing: A Dead Simple Implementation

DevShed: User Authentication and PHP Security

Shay Ben Moshe's Blog: Hashing Passwords Properly

DevX.com: Integrating PHP into Your SOA Solutions


Community Events











Don't see your event here?
Let us know!


language facebook unittest series symfony2 hhvm framework introduction install podcast component application database package hack release composer security opinion performance

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework