search

GroundApps / ShoppingList_Backend

Simple Centralized Shoppinglist - php backend
GNU General Public License v3.0
27 stars 23 forks source link

PHP Requirements #22

Closed niboan closed 9 years ago

niboan commented 9 years ago

The PHP requirements according to the readme are >= 5. As INSTALL.php uses the password_hash() function, the requirements are in fact >= 5.5.0. This leaves two options:

  1. Update the readme
  2. Use crypt() instead I would prefer option 2, as I am currently stuck on PHP 5.4 ;-)
ghost commented 9 years ago

Oh this is an error of mine. I will check it later and fix these

ghost commented 9 years ago

When we use crypt() we will take sha512so you need php 5.3.2.or higher

The problem here is I think that we must save the salt in the api.php file and this is a security issue

jklmnn commented 9 years ago

Do we really need to save the salt? I don't know exactly how and if the password_hash function stores the key. Maybe we can just generate a random salt for this one time?

ghost commented 9 years ago

We can try, I see that password_hash() gave the same string back like crypt(). But I think we should use sha512 or blowfish.

jklmnn commented 9 years ago

About the hashing algorithm we should stick with bcrypt.
For further explanation read: http://security.blogoverflow.com/2013/09/about-secure-password-hashing/

I just post the conclusion here:

Conclusion and Acknowledgments

Passwords should be hashed with either PBKDF2, bcrypt or scrypt, MD-5 and SHA-3 should never be used for password hashing and SHA-1/2(password+salt) are a big no-no as well. Currently the most vetted hashing algorithm providing most security is bcrypt. PBKDF2 isn’t bad either, but if you can use bcrypt you should. Scrypt, while still considered very secure, hasn’t been around for a long time, so it doesn’t get recommended a lot, but it seems it will become the successor of bcrypt, once it has been around a bit longer. Note that while there are some caveats and password bruteforcing strategies for PBKDF2 and bcrypt, they are still considered unfeasable for strong passwords (passwords longer than 8 characters, containing numbers, letters, signs and at least one capital letter).

ghost commented 9 years ago

But this mean we need PHP 5.3 I think we can take this way here:

https://gist.github.com/dzuelke/972386

jklmnn commented 9 years ago

Can we create a fallback that checks for the php version? I don't want to weaken the security.

ghost commented 9 years ago

I think we can make it. I will create something.

jklmnn commented 9 years ago

:+1: