PhotoBackup / server-php

The PHP PhotoBackup server implementation
MIT License
8 stars 4 forks source link

Store the password in hashed form. #4

Open Zegnat opened 9 years ago

Zegnat commented 9 years ago

Several server implementations have been updated to allow for the password to be stored as a bcrypt hash. The PHP implementation supporting bcrypt will bring the minimal PHP version required up to 5.3.7.

While 5.3 (and 5.4) versions are no longer officially supported they are used in abundance. Over 40% of WordPress installations are on PHP 5.2 or 5.3 and according to W3Techs’ PHP statistics ~52% of all PHP servers use a version older than PHP 5.4. That is a huge part of the market that will be excluded, for a piece of open-source software that is relatively easy.

An alternative might be PBKDF2, which is the NIST recommended way of storing passwords. hash_pbkdf2 only came natively to PHP 5.5.0, but several pure-PHP implementations exist.

We could use the BSD licensed defuse/password-hashing for secure password storage without giving up on old PHP versions.

jkufner commented 8 years ago

See:

Zegnat commented 8 years ago

Like hash_pbkdf2, both password_hash and password_verify were introduced in PHP 5.5. If I want to keep compatibility with 5.2/5.3 those are a no-go.

Even with password_compat it would bring the require PHP version up to 5.3.7. Because it relies on the same bcrypt implementation I was alluding to when I created this issue.

jkufner commented 8 years ago

PHP 5.5 was released in 2013. That was 3 years ago. Even current stable Debian has PHP 5.6.

Zegnat commented 8 years ago

PHP 5.5 was released in 2013. That was 3 years ago. Even current stable Debian has PHP 5.6.

I know, but even in the half year since I opened this issue very little has changed regarding PHP installation statistics. Currently the only officially supported versions of PHP are 5.6 and 7.0. The exact statistics as of today (2016-08-10):

In fact, of all PHP 5 versions running on servers found by W3Techs, PHP version 5.3 (27.8%) is still the leading one. 5.4 (27.3%) is slightly behind, with 5.5 (20.0%) coming quite a few percentage points after.

WordPress for one supports PHP 5.2.4+. This means they need to consider fallbacks at every point, cannot use things like namespaces, and include (a modified) phpass for hashing.

I envisioned this repository as being the absolute minimum and simplest PHP implementation of the PhotoBackup server specification. Possibly a reference implementation for others to look at. Nothing more. In line with this, I would love not bumping the version requirements.

Maybe I need to reconsider my aim with this repository.

jkufner commented 8 years ago

Ok, according to graphs you posted the reasonable minimal version is 5.3, cutting away about 10% of users. However, I would feel fine requiring lowest supported version (5.6).

I would expect this repository to be a reference implementation without unneccessary dependencies (external libraries). It does not have to be the simplest possible --- a little of complexity may be useful to allow integration to another projects or to allow authentication against custom services (like IMAP server) in multiuser setup, which significantly increases usefullness of this repository.

My changes don't go all the way to this goal, they are just the first step. I also aim for making this project testable, so the user/developer can verify he did not change the API and everything is still working.