Password Hashing: The Right Way

Password Hashing:
The Right Way
Jeremy Kendall - Memphis PHP
January 28, 2014

Wednesday, January 29, 14

I love to code


I love to code
I’m terribly forgetful


I love to code
I take pictures


I love to code
I take pictures
I work at OpenSky


I’m a Little Off My Game


What Qualiﬁes Me To Talk
About Security?


Not Much


Not Much
But that will work in our favor ...


Cryptography is Hard


Cryptography is Hard
Pro Tip: Leave it to the experts


The Wrong Way
<?php
class SecurityFail
{
// Encrypt Passwords for Highest Level of Security.
static public function encrypt($pword)
{
return md5($pword);
}
}

http://csiphp.com/blog/2012/02/16/encrypt-passwords-for-highest-level-of-security/


The Right Way

http://php.net/manual/en/ref.password.php

The Awesomer Way


Password Hashing Functions


Pro Tip: Use password_compat for PHP 5.3.7+


Pro Tip: Use password_compat for PHP 5.3.7+
Pro Tip: Use phpass for PHP <= 5.3.6


password_hash

http://www.php.net/manual/en/function.password-hash.php


password_hash
‣

Creates a new password hash



password_hash
‣
Strong, one-way hashing algorithm
‣



password_hash
‣
‣

‣

PASSWORD_DEFAULT or PASSWORD_BCRYPT



password_hash
‣
‣

‣

‣

PASSWORD_DEFAULT or PASSWORD_BCRYPT

Optional cost and salt



password_hash
‣

Always use PASSWORD_DEFAULT



password_hash
‣
Your DB’s password ﬁeld should be varchar(255)
‣



password_hash
‣
‣
Do not use your own salt
‣



password_hash
‣
‣
Do not use your own salt
‣
Check for an appropriate cost using the example script
‣ in the manual



password_hash
$hash = password_hash('secret pass', PASSWORD_DEFAULT);
// or
$options = array('cost' => 12);
$hash = password_hash('secret pass', PASSWORD_DEFAULT, $options);


password_verify


password_verify
‣


Veriﬁes that a password matches a hash

password_verify
‣
Uh, yeah, that’s about it
‣

Veriﬁes that a password matches a hash


password_verify
$valid = password_verify($_POST['pass'], $hashFromDb);


password_needs_rehash


‣


Checks password to see if it needs to be updated

‣
Uses both hash and cost to check current hash
‣

Checks password to see if it needs to be updated


$needsRehash = password_needs_rehash($hashFromDb, PASSWORD_DEFAULT);
// or
$needsRehash = password_needs_rehash($hashFromDb, PASSWORD_DEFAULT, $options);


That’s Awesome and Secure


But Could It Be Awesomer,
Securer, and Easier?


Password Validator


Password Validator
‣


Validates passwords against password_hash

Password Validator
‣
Will rehash when needed
‣



Password Validator
‣
‣
Will upgrade legacy passwords
‣



Password Validator
‣
‣
‣
Requires PHP 5.3.7+
‣



Password Validator
‣
‣
‣
Requires PHP 5.3.7+
‣
(No version for <=5.3.6 is in the works)
‣



Password Validator
use JeremyKendallPasswordPasswordValidator;
use JeremyKendallPasswordResult as ValidationResult;
$passwordHash = password_hash('password', PASSWORD_DEFAULT);
$validator = new PasswordValidator();
$result = $validator->isValid('password', $passwordHash);
$valid = $result->isValid();
$code = $result->getCode();
// $valid = true
// $code = ValidationResult::SUCCESS


Password Validator

$passwordHash = password_hash('password', PASSWORD_DEFAULT, $options);
$validator->setOptions($options);

// $valid = true
// $code = ValidationResult::SUCCESS


Password Validator

$passwordHash = password_hash('password', PASSWORD_DEFAULT, $options);
// Remember, default cost is 10, so a cost 9 hash gets rehashed

$hash = $result->getPassword();
// $valid = true
// $code = ValidationResult::SUCCESS_PASSWORD_REHASHED
// $hash = the new, rehashed password. Save it!


Fine, But We’re Not Using
password_hash Yet ...


Decorator Pattern

http://en.wikipedia.org/wiki/Decorator_pattern


Decorator Pattern
‣

Wrap an object



Decorator Pattern
‣
Change its behavior
‣
Wrap an object



Decorator Pattern
‣
Change its behavior
‣
Dynamically attach additional responsibilities
‣
Wrap an object



PasswordValidatorInterface
interface PasswordValidatorInterface
{
public function isValid($password, $passwordHash, $identity = null);
public function rehash($password);
public function setOptions(array $options);
public function getOptions();
}


Upgrade Decorator


Upgrade Decorator
‣


Used when you’re not already using password_hash ...

Upgrade Decorator
‣
... but you’re ready to do things the right way
‣



Upgrade Decorator
‣
‣
Accepts an instance of PasswordValidatorInterface ...
‣



Upgrade Decorator
‣
‣
Accepts an instance of PasswordValidatorInterface ...
‣
... and a validation callback
‣



Upgrade Decorator
// Somewhere in your authentication script
if (hash('sha512', $password) === $passwordHash) {
$valid = true;
}
$valid = false;


Upgrade Decorator
// Same authentication check expressed as a callback
$validationCallback = function ($password, $passwordHash) {
if (hash('sha512', $password) === $passwordHash) {
return true;
}
return false;
};


Upgrade Decorator
$validator = new UpgradeDecorator(
new PasswordValidator(),
$validationCallback
);
$passwordHash = hash('sha512', 'password');
$hash = $result->getPassword();
// $valid = true
// $code = ValidationResult::SUCCESS_PASSWORD_REHASHED
// $hash = the new, rehashed password. Save it!


Fine, But Now I Have to Test
for SUCCESS_PASSWORD_REHASHED
Every Time


Storage Decorator


Storage Decorator
‣


Automatically stores all rehashed passwords

Storage Decorator
‣
Accepts two constructor args:
‣



Storage Decorator
‣
‣
Instance of PasswordValidatorInterface
‣



Storage Decorator
‣
‣
Instance of PasswordValidatorInterface
‣
Instance of StorageInterface
‣



StorageInterface
interface StorageInterface
{
/**
* Updates user's password in persistent storage
*
* @param string $identity Unique user identifier
* @param string $password New password hash
*/
public function updatePassword($identity, $password);
}


UserDao
use JeremyKendallPasswordStorageStorageInterface;
class UserDao implements StorageInterface
{
protected $db;
public function __construct(PDO $db)
{
$this->db = $db;
}
public function updatePassword($identity, $newPasswordHash)
{
$sql = 'UPDATE users SET passwordHash = :passwordHash WHERE identity = :identity';
$stmt = $this->db->prepare($sql);
$stmt->execute(array('passwordHash' => $newPasswordHash, 'identity' => $identity));
return $this->find($identity);
}
}


Storage Decorator
use JeremyKendallPasswordDecoratorStorageDecorator;
$validator = new StorageDecorator($upgradeDecorator, $userDao);
// Uses the optional third argument for PasswordValidatorInterface::isValid()
$result = $validator->isValid('password', $passwordHash, 'arthur@arthurdent.com');
// Result is the same as any other validation attempt except ...
// ... ValidationResult::SUCCESS_PASSWORD_REHASHED hashes are automatically persisted!


Recap


Recap
‣


Use the new PHP password hashing functions

Recap
‣
Use Password Validator to make it dead simple
‣


Recap
‣
‣
If you’re not at PHP 5.5, use password_compat
‣


Recap
‣
‣
‣
If you’re not at PHP 5.3.7+, UPGRADE
‣


Recap
‣
‣
‣
‣
If you can’t upgrade, use OpenWall’s phpass
‣


Recap
‣
‣
‣
‣
If you can’t upgrade, use OpenWall’s phpass
‣
DO NOT ROLL YOUR OWN
‣


Resources


Resources
‣


PHP Password Hashing Functions: http://php.net/password

Resources
‣
Original password_hash RFC:
‣



https://wiki.php.net/rfc/password_hash

Resources
‣
‣
Password Validator:
‣


https://github.com/jeremykendall/password-validator


Resources
‣
‣
Password Validator:
‣
password_compat:
‣



https://github.com/ircmaxell/password_compat


Resources
‣
‣
Password Validator:
‣
password_compat:
‣
OpenWall phpass:
‣



https://github.com/ircmaxell/password_compat

http://www.openwall.com/phpass/


Thanks!
jeremy@jeremykendall.net
http://about.me/jeremykendall
@jeremykendall
http://365.jeremykendall.net


Password Hashing: The Right Way

Recommended

Recommended

More Related Content

More from Jeremy Kendall

More from Jeremy Kendall (17)

Recently uploaded

Recently uploaded (20)

Password Hashing: The Right Way