search

WBCE / WBCE_CMS

Core package of WBCE CMS. This package includes the core and the default addons. Visit https://wbce.org (DE) or https://wbce-cms.org (EN) to learn more or to join the WBCE CMS community.
https://wbce-cms.org
GNU General Public License v2.0
31 stars 22 forks source link

Passwords: Pepper makes everything taste better #552

Open Forshock opened 10 months ago

Forshock commented 10 months ago

Enhance the password hashing with pepper function. Significantly increases complexity to crack passwords (according to NIST and other researchers), with a few extra lines to the doPasswordEncode and doCheckPassword functions and install procedure (create pepper in config.php?).

Additionally, on the doCheckPassword function there is a method for updating the older MD5 passwords, but also should take into account he PHP hash updates that will eventually arrive. See password_needs_rehash for details.

instantflorian commented 10 months ago

It would be helpful if you create a pull request with the necessary changes.

mrbaseman commented 10 months ago

One problem I see is that it is not straight forward how to make the transition of installations without pepper to ones with pepper. Changing the pepper value afterwards invalidates all passwords. Unlike the move from md5 hashed passwords to more secure algorithms, there is no indication in the hash string out of the box, that it was created before the introduction of the pepper value. We might decorate the hash string with something to indicate this and strip it off again for the verification, but this indicator must be chosen carefully (I guess prepending another $ in particular is a bad choice ;-) )

Anyhow, there is some pseudo code provided in this comment which may help with the implementation once the problem is solved how to distinguish peppered hashes from older ones...

thanks @Forshock for the hint with password_needs_rehash