raylu
commented
11 years ago wait, why is it re-hashing in a loop? why not use a salt?
Closed karbowiak closed 11 years ago
raylu
commented
11 years ago wait, why is it re-hashing in a loop? why not use a salt?
karbowiak
commented
11 years ago I actually don't have a proper response for that.
Pretty sure we discussed how to do password hashes, and the end was a loop which seemed to be more secure.
raylu
commented
11 years ago a loop protects you against precomputed hashes (like rainbow tables) but if two people have the same password, it still comes out to the same hash, so some dictionary attacks are made easier
salting and/or using an HMAC is pretty easy and protects against both
lt
commented
11 years ago Forget all this nonsense about loops vs. salts. (you should be using both)
You should be using the compatibility library for the PHP 5.5 simple password hashing API
It uses bcrypt, generates secure salts, the algorithm internally loops depending on a "work value", and provides a mechanism for upgrading password strength as technology advances (or you are willing to invest more server resources).
As of PHP 5.5 this API is native, i.e. built into PHP core. It has had a lot of vetting by the community and "people who know about security"
karbowiak
commented
11 years ago You're right leight, PP talked about it yesterday aswell.
I or someone else, will have a look at it, and most likely move over to that :)
Atm the password hashing is hardcoded into the site, thus basically telling everyone how many times we hash the PWs on zkillboard.com
Sooooooo, we have to move that to the config, and alter the hashing times before going online.
Thus forcing everyone to reset their passwords.. whoops..