Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Password Hashing:
The Right Way
Jeremy Kendall - Memphis PHP
January 28, 2014

Wednesday, January 29, 14
Wednesday, January 29, 14
I love to code

Wednesday, January 29, 14
I love to code
I’m terribly forgetful

Wednesday, January 29, 14
I love to code
I’m terribly forgetful
I take pictures

Wednesday, January 29, 14
I love to code
I’m terribly forgetful
I take pictures
I work at OpenSky

Wednesday, January 29, 14
I’m a Little Off My Game

Wednesday, January 29, 14
What Qualifies Me To Talk
About Security?

Wednesday, January 29, 14
Not Much

Wednesday, January 29, 14
Not Much
But that will work in our favor ...

Wednesday, January 29, 14
Cryptography is Hard

Wednesday, January 29, 14
Cryptography is Hard
Pro Tip: Leave it to the experts

Wednesday, January 29, 14
The Wrong Way
<?php
class SecurityFail
{
// Encrypt Passwords for Highest Level of Security.
static public function encryp...
The Right Way

http://php.net/manual/en/ref.password.php
Wednesday, January 29, 14
The Awesomer Way

Wednesday, January 29, 14
Password Hashing Functions

Wednesday, January 29, 14
Password Hashing Functions
Pro Tip: Use password_compat for PHP 5.3.7+

Wednesday, January 29, 14
Password Hashing Functions
Pro Tip: Use password_compat for PHP 5.3.7+
Pro Tip: Use phpass for PHP <= 5.3.6

Wednesday, Ja...
password_hash

http://www.php.net/manual/en/function.password-hash.php

Wednesday, January 29, 14
password_hash
‣

Creates a new password hash

http://www.php.net/manual/en/function.password-hash.php

Wednesday, January ...
password_hash
‣
Strong, one-way hashing algorithm
‣
Creates a new password hash

http://www.php.net/manual/en/function.pas...
password_hash
‣
Strong, one-way hashing algorithm
‣
Creates a new password hash

‣

PASSWORD_DEFAULT or PASSWORD_BCRYPT

h...
password_hash
‣
Strong, one-way hashing algorithm
‣
Creates a new password hash

‣

‣

PASSWORD_DEFAULT or PASSWORD_BCRYPT...
password_hash

http://www.php.net/manual/en/function.password-hash.php

Wednesday, January 29, 14
password_hash
‣

Always use PASSWORD_DEFAULT

http://www.php.net/manual/en/function.password-hash.php

Wednesday, January ...
password_hash
‣
Your DB’s password field should be varchar(255)
‣
Always use PASSWORD_DEFAULT

http://www.php.net/manual/en...
password_hash
‣
Your DB’s password field should be varchar(255)
‣
Do not use your own salt
‣
Always use PASSWORD_DEFAULT

h...
password_hash
‣
Your DB’s password field should be varchar(255)
‣
Do not use your own salt
‣
Check for an appropriate cost ...
password_hash
$hash = password_hash('secret pass', PASSWORD_DEFAULT);
// or
$options = array('cost' => 12);
$hash = passwo...
password_verify

Wednesday, January 29, 14
password_verify
‣

Wednesday, January 29, 14

Verifies that a password matches a hash
password_verify
‣
Uh, yeah, that’s about it
‣

Verifies that a password matches a hash

Wednesday, January 29, 14
password_verify
$valid = password_verify($_POST['pass'], $hashFromDb);

Wednesday, January 29, 14
password_needs_rehash

Wednesday, January 29, 14
password_needs_rehash
‣

Wednesday, January 29, 14

Checks password to see if it needs to be updated
password_needs_rehash
‣
Uses both hash and cost to check current hash
‣

Checks password to see if it needs to be updated
...
password_needs_rehash
$needsRehash = password_needs_rehash($hashFromDb, PASSWORD_DEFAULT);
// or
$options = array('cost' =...
That’s Awesome and Secure

Wednesday, January 29, 14
But Could It Be Awesomer,
Securer, and Easier?

Wednesday, January 29, 14
Password Validator

Wednesday, January 29, 14
Password Validator
‣

Wednesday, January 29, 14

Validates passwords against password_hash
Password Validator
‣
Will rehash when needed
‣

Validates passwords against password_hash

Wednesday, January 29, 14
Password Validator
‣
Will rehash when needed
‣
Will upgrade legacy passwords
‣

Validates passwords against password_hash
...
Password Validator
‣
Will rehash when needed
‣
Will upgrade legacy passwords
‣
Requires PHP 5.3.7+
‣

Validates passwords ...
Password Validator
‣
Will rehash when needed
‣
Will upgrade legacy passwords
‣
Requires PHP 5.3.7+
‣
(No version for <=5.3...
Password Validator
use JeremyKendallPasswordPasswordValidator;
use JeremyKendallPasswordResult as ValidationResult;
$passw...
Password Validator
use JeremyKendallPasswordPasswordValidator;

use JeremyKendallPasswordResult as ValidationResult;
$opti...
Password Validator
use JeremyKendallPasswordPasswordValidator;

use JeremyKendallPasswordResult as ValidationResult;
$opti...
Fine, But We’re Not Using
password_hash Yet ...

Wednesday, January 29, 14
Decorator Pattern

http://en.wikipedia.org/wiki/Decorator_pattern

Wednesday, January 29, 14
Decorator Pattern
‣

Wrap an object

http://en.wikipedia.org/wiki/Decorator_pattern

Wednesday, January 29, 14
Decorator Pattern
‣
Change its behavior
‣
Wrap an object

http://en.wikipedia.org/wiki/Decorator_pattern

Wednesday, Janua...
Decorator Pattern
‣
Change its behavior
‣
Dynamically attach additional responsibilities
‣
Wrap an object

http://en.wikip...
PasswordValidatorInterface
interface PasswordValidatorInterface
{
public function isValid($password, $passwordHash, $ident...
Upgrade Decorator

Wednesday, January 29, 14
Upgrade Decorator
‣

Wednesday, January 29, 14

Used when you’re not already using password_hash ...
Upgrade Decorator
‣
... but you’re ready to do things the right way
‣

Used when you’re not already using password_hash .....
Upgrade Decorator
‣
... but you’re ready to do things the right way
‣
Accepts an instance of PasswordValidatorInterface .....
Upgrade Decorator
‣
... but you’re ready to do things the right way
‣
Accepts an instance of PasswordValidatorInterface .....
Upgrade Decorator
// Somewhere in your authentication script
if (hash('sha512', $password) === $passwordHash) {
$valid = t...
Upgrade Decorator
// Same authentication check expressed as a callback
$validationCallback = function ($password, $passwor...
Upgrade Decorator
$validator = new UpgradeDecorator(
new PasswordValidator(),
$validationCallback
);
$passwordHash = hash(...
Fine, But Now I Have to Test
for SUCCESS_PASSWORD_REHASHED
Every Time

Wednesday, January 29, 14
Storage Decorator

Wednesday, January 29, 14
Storage Decorator
‣

Wednesday, January 29, 14

Automatically stores all rehashed passwords
Storage Decorator
‣
Accepts two constructor args:
‣

Automatically stores all rehashed passwords

Wednesday, January 29, 1...
Storage Decorator
‣
Accepts two constructor args:
‣
Instance of PasswordValidatorInterface
‣

Automatically stores all reh...
Storage Decorator
‣
Accepts two constructor args:
‣
Instance of PasswordValidatorInterface
‣
Instance of StorageInterface
...
StorageInterface
interface StorageInterface
{
/**
* Updates user's password in persistent storage
*
* @param string $ident...
UserDao
use JeremyKendallPasswordStorageStorageInterface;
class UserDao implements StorageInterface
{
protected $db;
publi...
Storage Decorator
use JeremyKendallPasswordDecoratorStorageDecorator;
$validator = new StorageDecorator($upgradeDecorator,...
Recap

Wednesday, January 29, 14
Recap
‣

Wednesday, January 29, 14

Use the new PHP password hashing functions
Recap
‣
Use Password Validator to make it dead simple
‣
Use the new PHP password hashing functions

Wednesday, January 29,...
Recap
‣
Use Password Validator to make it dead simple
‣
If you’re not at PHP 5.5, use password_compat
‣
Use the new PHP pa...
Recap
‣
Use Password Validator to make it dead simple
‣
If you’re not at PHP 5.5, use password_compat
‣
If you’re not at P...
Recap
‣
Use Password Validator to make it dead simple
‣
If you’re not at PHP 5.5, use password_compat
‣
If you’re not at P...
Recap
‣
Use Password Validator to make it dead simple
‣
If you’re not at PHP 5.5, use password_compat
‣
If you’re not at P...
Resources

Wednesday, January 29, 14
Resources
‣

Wednesday, January 29, 14

PHP Password Hashing Functions: http://php.net/password
Resources
‣
Original password_hash RFC:
‣

PHP Password Hashing Functions: http://php.net/password

Wednesday, January 29,...
Resources
‣
Original password_hash RFC:
‣
Password Validator:
‣

PHP Password Hashing Functions: http://php.net/password
h...
Resources
‣
Original password_hash RFC:
‣
Password Validator:
‣
password_compat:
‣

PHP Password Hashing Functions: http:/...
Resources
‣
Original password_hash RFC:
‣
Password Validator:
‣
password_compat:
‣
OpenWall phpass:
‣

PHP Password Hashin...
Thanks!
jeremy@jeremykendall.net
http://about.me/jeremykendall
@jeremykendall
http://365.jeremykendall.net

Wednesday, Jan...
Upcoming SlideShare
Loading in …5
×

of

Password Hashing: The Right Way Slide 1 Password Hashing: The Right Way Slide 2 Password Hashing: The Right Way Slide 3 Password Hashing: The Right Way Slide 4 Password Hashing: The Right Way Slide 5 Password Hashing: The Right Way Slide 6 Password Hashing: The Right Way Slide 7 Password Hashing: The Right Way Slide 8 Password Hashing: The Right Way Slide 9 Password Hashing: The Right Way Slide 10 Password Hashing: The Right Way Slide 11 Password Hashing: The Right Way Slide 12 Password Hashing: The Right Way Slide 13 Password Hashing: The Right Way Slide 14 Password Hashing: The Right Way Slide 15 Password Hashing: The Right Way Slide 16 Password Hashing: The Right Way Slide 17 Password Hashing: The Right Way Slide 18 Password Hashing: The Right Way Slide 19 Password Hashing: The Right Way Slide 20 Password Hashing: The Right Way Slide 21 Password Hashing: The Right Way Slide 22 Password Hashing: The Right Way Slide 23 Password Hashing: The Right Way Slide 24 Password Hashing: The Right Way Slide 25 Password Hashing: The Right Way Slide 26 Password Hashing: The Right Way Slide 27 Password Hashing: The Right Way Slide 28 Password Hashing: The Right Way Slide 29 Password Hashing: The Right Way Slide 30 Password Hashing: The Right Way Slide 31 Password Hashing: The Right Way Slide 32 Password Hashing: The Right Way Slide 33 Password Hashing: The Right Way Slide 34 Password Hashing: The Right Way Slide 35 Password Hashing: The Right Way Slide 36 Password Hashing: The Right Way Slide 37 Password Hashing: The Right Way Slide 38 Password Hashing: The Right Way Slide 39 Password Hashing: The Right Way Slide 40 Password Hashing: The Right Way Slide 41 Password Hashing: The Right Way Slide 42 Password Hashing: The Right Way Slide 43 Password Hashing: The Right Way Slide 44 Password Hashing: The Right Way Slide 45 Password Hashing: The Right Way Slide 46 Password Hashing: The Right Way Slide 47 Password Hashing: The Right Way Slide 48 Password Hashing: The Right Way Slide 49 Password Hashing: The Right Way Slide 50 Password Hashing: The Right Way Slide 51 Password Hashing: The Right Way Slide 52 Password Hashing: The Right Way Slide 53 Password Hashing: The Right Way Slide 54 Password Hashing: The Right Way Slide 55 Password Hashing: The Right Way Slide 56 Password Hashing: The Right Way Slide 57 Password Hashing: The Right Way Slide 58 Password Hashing: The Right Way Slide 59 Password Hashing: The Right Way Slide 60 Password Hashing: The Right Way Slide 61 Password Hashing: The Right Way Slide 62 Password Hashing: The Right Way Slide 63 Password Hashing: The Right Way Slide 64 Password Hashing: The Right Way Slide 65 Password Hashing: The Right Way Slide 66 Password Hashing: The Right Way Slide 67 Password Hashing: The Right Way Slide 68 Password Hashing: The Right Way Slide 69 Password Hashing: The Right Way Slide 70 Password Hashing: The Right Way Slide 71 Password Hashing: The Right Way Slide 72 Password Hashing: The Right Way Slide 73 Password Hashing: The Right Way Slide 74 Password Hashing: The Right Way Slide 75 Password Hashing: The Right Way Slide 76 Password Hashing: The Right Way Slide 77 Password Hashing: The Right Way Slide 78 Password Hashing: The Right Way Slide 79 Password Hashing: The Right Way Slide 80 Password Hashing: The Right Way Slide 81 Password Hashing: The Right Way Slide 82 Password Hashing: The Right Way Slide 83 Password Hashing: The Right Way Slide 84 Password Hashing: The Right Way Slide 85
Upcoming SlideShare
Proper passwordhashing
Next
Download to read offline and view in fullscreen.

3 Likes

Share

Download to read offline

Password Hashing: The Right Way

Download to read offline

Introduces the new PHP password hashing functions and Password Validator library.

Related Books

Free with a 30 day trial from Scribd

See all

Password Hashing: The Right Way

  1. 1. Password Hashing: The Right Way Jeremy Kendall - Memphis PHP January 28, 2014 Wednesday, January 29, 14
  2. 2. Wednesday, January 29, 14
  3. 3. I love to code Wednesday, January 29, 14
  4. 4. I love to code I’m terribly forgetful Wednesday, January 29, 14
  5. 5. I love to code I’m terribly forgetful I take pictures Wednesday, January 29, 14
  6. 6. I love to code I’m terribly forgetful I take pictures I work at OpenSky Wednesday, January 29, 14
  7. 7. I’m a Little Off My Game Wednesday, January 29, 14
  8. 8. What Qualifies Me To Talk About Security? Wednesday, January 29, 14
  9. 9. Not Much Wednesday, January 29, 14
  10. 10. Not Much But that will work in our favor ... Wednesday, January 29, 14
  11. 11. Cryptography is Hard Wednesday, January 29, 14
  12. 12. Cryptography is Hard Pro Tip: Leave it to the experts Wednesday, January 29, 14
  13. 13. The Wrong Way <?php class SecurityFail { // Encrypt Passwords for Highest Level of Security. static public function encrypt($pword) { return md5($pword); } } http://csiphp.com/blog/2012/02/16/encrypt-passwords-for-highest-level-of-security/ Wednesday, January 29, 14
  14. 14. The Right Way http://php.net/manual/en/ref.password.php Wednesday, January 29, 14
  15. 15. The Awesomer Way Wednesday, January 29, 14
  16. 16. Password Hashing Functions Wednesday, January 29, 14
  17. 17. Password Hashing Functions Pro Tip: Use password_compat for PHP 5.3.7+ Wednesday, January 29, 14
  18. 18. Password Hashing Functions Pro Tip: Use password_compat for PHP 5.3.7+ Pro Tip: Use phpass for PHP <= 5.3.6 Wednesday, January 29, 14
  19. 19. password_hash http://www.php.net/manual/en/function.password-hash.php Wednesday, January 29, 14
  20. 20. password_hash ‣ Creates a new password hash http://www.php.net/manual/en/function.password-hash.php Wednesday, January 29, 14
  21. 21. password_hash ‣ Strong, one-way hashing algorithm ‣ Creates a new password hash http://www.php.net/manual/en/function.password-hash.php Wednesday, January 29, 14
  22. 22. password_hash ‣ Strong, one-way hashing algorithm ‣ Creates a new password hash ‣ PASSWORD_DEFAULT or PASSWORD_BCRYPT http://www.php.net/manual/en/function.password-hash.php Wednesday, January 29, 14
  23. 23. password_hash ‣ Strong, one-way hashing algorithm ‣ Creates a new password hash ‣ ‣ PASSWORD_DEFAULT or PASSWORD_BCRYPT Optional cost and salt http://www.php.net/manual/en/function.password-hash.php Wednesday, January 29, 14
  24. 24. password_hash http://www.php.net/manual/en/function.password-hash.php Wednesday, January 29, 14
  25. 25. password_hash ‣ Always use PASSWORD_DEFAULT http://www.php.net/manual/en/function.password-hash.php Wednesday, January 29, 14
  26. 26. password_hash ‣ Your DB’s password field should be varchar(255) ‣ Always use PASSWORD_DEFAULT http://www.php.net/manual/en/function.password-hash.php Wednesday, January 29, 14
  27. 27. password_hash ‣ Your DB’s password field should be varchar(255) ‣ Do not use your own salt ‣ Always use PASSWORD_DEFAULT http://www.php.net/manual/en/function.password-hash.php Wednesday, January 29, 14
  28. 28. password_hash ‣ Your DB’s password field should be varchar(255) ‣ Do not use your own salt ‣ Check for an appropriate cost using the example script ‣ in the manual Always use PASSWORD_DEFAULT http://www.php.net/manual/en/function.password-hash.php Wednesday, January 29, 14
  29. 29. password_hash $hash = password_hash('secret pass', PASSWORD_DEFAULT); // or $options = array('cost' => 12); $hash = password_hash('secret pass', PASSWORD_DEFAULT, $options); Wednesday, January 29, 14
  30. 30. password_verify Wednesday, January 29, 14
  31. 31. password_verify ‣ Wednesday, January 29, 14 Verifies that a password matches a hash
  32. 32. password_verify ‣ Uh, yeah, that’s about it ‣ Verifies that a password matches a hash Wednesday, January 29, 14
  33. 33. password_verify $valid = password_verify($_POST['pass'], $hashFromDb); Wednesday, January 29, 14
  34. 34. password_needs_rehash Wednesday, January 29, 14
  35. 35. password_needs_rehash ‣ Wednesday, January 29, 14 Checks password to see if it needs to be updated
  36. 36. password_needs_rehash ‣ Uses both hash and cost to check current hash ‣ Checks password to see if it needs to be updated Wednesday, January 29, 14
  37. 37. password_needs_rehash $needsRehash = password_needs_rehash($hashFromDb, PASSWORD_DEFAULT); // or $options = array('cost' => 12); $needsRehash = password_needs_rehash($hashFromDb, PASSWORD_DEFAULT, $options); Wednesday, January 29, 14
  38. 38. That’s Awesome and Secure Wednesday, January 29, 14
  39. 39. But Could It Be Awesomer, Securer, and Easier? Wednesday, January 29, 14
  40. 40. Password Validator Wednesday, January 29, 14
  41. 41. Password Validator ‣ Wednesday, January 29, 14 Validates passwords against password_hash
  42. 42. Password Validator ‣ Will rehash when needed ‣ Validates passwords against password_hash Wednesday, January 29, 14
  43. 43. Password Validator ‣ Will rehash when needed ‣ Will upgrade legacy passwords ‣ Validates passwords against password_hash Wednesday, January 29, 14
  44. 44. Password Validator ‣ Will rehash when needed ‣ Will upgrade legacy passwords ‣ Requires PHP 5.3.7+ ‣ Validates passwords against password_hash Wednesday, January 29, 14
  45. 45. Password Validator ‣ Will rehash when needed ‣ Will upgrade legacy passwords ‣ Requires PHP 5.3.7+ ‣ (No version for <=5.3.6 is in the works) ‣ Validates passwords against password_hash Wednesday, January 29, 14
  46. 46. Password Validator use JeremyKendallPasswordPasswordValidator; use JeremyKendallPasswordResult as ValidationResult; $passwordHash = password_hash('password', PASSWORD_DEFAULT); $validator = new PasswordValidator(); $result = $validator->isValid('password', $passwordHash); $valid = $result->isValid(); $code = $result->getCode(); // $valid = true // $code = ValidationResult::SUCCESS Wednesday, January 29, 14
  47. 47. Password Validator use JeremyKendallPasswordPasswordValidator; use JeremyKendallPasswordResult as ValidationResult; $options = array('cost' => 9); $passwordHash = password_hash('password', PASSWORD_DEFAULT, $options); $validator = new PasswordValidator(); $validator->setOptions($options); $result = $validator->isValid('password', $passwordHash); $valid = $result->isValid(); $code = $result->getCode(); // $valid = true // $code = ValidationResult::SUCCESS Wednesday, January 29, 14
  48. 48. Password Validator use JeremyKendallPasswordPasswordValidator; use JeremyKendallPasswordResult as ValidationResult; $options = array('cost' => 9); $passwordHash = password_hash('password', PASSWORD_DEFAULT, $options); $validator = new PasswordValidator(); // Remember, default cost is 10, so a cost 9 hash gets rehashed $result = $validator->isValid('password', $passwordHash); $valid = $result->isValid(); $code = $result->getCode(); $hash = $result->getPassword(); // $valid = true // $code = ValidationResult::SUCCESS_PASSWORD_REHASHED // $hash = the new, rehashed password. Save it! Wednesday, January 29, 14
  49. 49. Fine, But We’re Not Using password_hash Yet ... Wednesday, January 29, 14
  50. 50. Decorator Pattern http://en.wikipedia.org/wiki/Decorator_pattern Wednesday, January 29, 14
  51. 51. Decorator Pattern ‣ Wrap an object http://en.wikipedia.org/wiki/Decorator_pattern Wednesday, January 29, 14
  52. 52. Decorator Pattern ‣ Change its behavior ‣ Wrap an object http://en.wikipedia.org/wiki/Decorator_pattern Wednesday, January 29, 14
  53. 53. Decorator Pattern ‣ Change its behavior ‣ Dynamically attach additional responsibilities ‣ Wrap an object http://en.wikipedia.org/wiki/Decorator_pattern Wednesday, January 29, 14
  54. 54. PasswordValidatorInterface interface PasswordValidatorInterface { public function isValid($password, $passwordHash, $identity = null); public function rehash($password); public function setOptions(array $options); public function getOptions(); } Wednesday, January 29, 14
  55. 55. Upgrade Decorator Wednesday, January 29, 14
  56. 56. Upgrade Decorator ‣ Wednesday, January 29, 14 Used when you’re not already using password_hash ...
  57. 57. Upgrade Decorator ‣ ... but you’re ready to do things the right way ‣ Used when you’re not already using password_hash ... Wednesday, January 29, 14
  58. 58. Upgrade Decorator ‣ ... but you’re ready to do things the right way ‣ Accepts an instance of PasswordValidatorInterface ... ‣ Used when you’re not already using password_hash ... Wednesday, January 29, 14
  59. 59. Upgrade Decorator ‣ ... but you’re ready to do things the right way ‣ Accepts an instance of PasswordValidatorInterface ... ‣ ... and a validation callback ‣ Used when you’re not already using password_hash ... Wednesday, January 29, 14
  60. 60. Upgrade Decorator // Somewhere in your authentication script if (hash('sha512', $password) === $passwordHash) { $valid = true; } $valid = false; Wednesday, January 29, 14
  61. 61. Upgrade Decorator // Same authentication check expressed as a callback $validationCallback = function ($password, $passwordHash) { if (hash('sha512', $password) === $passwordHash) { return true; } return false; }; Wednesday, January 29, 14
  62. 62. Upgrade Decorator $validator = new UpgradeDecorator( new PasswordValidator(), $validationCallback ); $passwordHash = hash('sha512', 'password'); $result = $validator->isValid('password', $passwordHash); $valid = $result->isValid(); $code = $result->getCode(); $hash = $result->getPassword(); // $valid = true // $code = ValidationResult::SUCCESS_PASSWORD_REHASHED // $hash = the new, rehashed password. Save it! Wednesday, January 29, 14
  63. 63. Fine, But Now I Have to Test for SUCCESS_PASSWORD_REHASHED Every Time Wednesday, January 29, 14
  64. 64. Storage Decorator Wednesday, January 29, 14
  65. 65. Storage Decorator ‣ Wednesday, January 29, 14 Automatically stores all rehashed passwords
  66. 66. Storage Decorator ‣ Accepts two constructor args: ‣ Automatically stores all rehashed passwords Wednesday, January 29, 14
  67. 67. Storage Decorator ‣ Accepts two constructor args: ‣ Instance of PasswordValidatorInterface ‣ Automatically stores all rehashed passwords Wednesday, January 29, 14
  68. 68. Storage Decorator ‣ Accepts two constructor args: ‣ Instance of PasswordValidatorInterface ‣ Instance of StorageInterface ‣ Automatically stores all rehashed passwords Wednesday, January 29, 14
  69. 69. StorageInterface interface StorageInterface { /** * Updates user's password in persistent storage * * @param string $identity Unique user identifier * @param string $password New password hash */ public function updatePassword($identity, $password); } Wednesday, January 29, 14
  70. 70. UserDao use JeremyKendallPasswordStorageStorageInterface; class UserDao implements StorageInterface { protected $db; public function __construct(PDO $db) { $this->db = $db; } public function updatePassword($identity, $newPasswordHash) { $sql = 'UPDATE users SET passwordHash = :passwordHash WHERE identity = :identity'; $stmt = $this->db->prepare($sql); $stmt->execute(array('passwordHash' => $newPasswordHash, 'identity' => $identity)); return $this->find($identity); } } Wednesday, January 29, 14
  71. 71. Storage Decorator use JeremyKendallPasswordDecoratorStorageDecorator; $validator = new StorageDecorator($upgradeDecorator, $userDao); // Uses the optional third argument for PasswordValidatorInterface::isValid() $result = $validator->isValid('password', $passwordHash, 'arthur@arthurdent.com'); // Result is the same as any other validation attempt except ... // ... ValidationResult::SUCCESS_PASSWORD_REHASHED hashes are automatically persisted! Wednesday, January 29, 14
  72. 72. Recap Wednesday, January 29, 14
  73. 73. Recap ‣ Wednesday, January 29, 14 Use the new PHP password hashing functions
  74. 74. Recap ‣ Use Password Validator to make it dead simple ‣ Use the new PHP password hashing functions Wednesday, January 29, 14
  75. 75. Recap ‣ Use Password Validator to make it dead simple ‣ If you’re not at PHP 5.5, use password_compat ‣ Use the new PHP password hashing functions Wednesday, January 29, 14
  76. 76. Recap ‣ Use Password Validator to make it dead simple ‣ If you’re not at PHP 5.5, use password_compat ‣ If you’re not at PHP 5.3.7+, UPGRADE ‣ Use the new PHP password hashing functions Wednesday, January 29, 14
  77. 77. Recap ‣ Use Password Validator to make it dead simple ‣ If you’re not at PHP 5.5, use password_compat ‣ If you’re not at PHP 5.3.7+, UPGRADE ‣ If you can’t upgrade, use OpenWall’s phpass ‣ Use the new PHP password hashing functions Wednesday, January 29, 14
  78. 78. Recap ‣ Use Password Validator to make it dead simple ‣ If you’re not at PHP 5.5, use password_compat ‣ If you’re not at PHP 5.3.7+, UPGRADE ‣ If you can’t upgrade, use OpenWall’s phpass ‣ DO NOT ROLL YOUR OWN ‣ Use the new PHP password hashing functions Wednesday, January 29, 14
  79. 79. Resources Wednesday, January 29, 14
  80. 80. Resources ‣ Wednesday, January 29, 14 PHP Password Hashing Functions: http://php.net/password
  81. 81. Resources ‣ Original password_hash RFC: ‣ PHP Password Hashing Functions: http://php.net/password Wednesday, January 29, 14 https://wiki.php.net/rfc/password_hash
  82. 82. Resources ‣ Original password_hash RFC: ‣ Password Validator: ‣ PHP Password Hashing Functions: http://php.net/password https://wiki.php.net/rfc/password_hash https://github.com/jeremykendall/password-validator Wednesday, January 29, 14
  83. 83. Resources ‣ Original password_hash RFC: ‣ Password Validator: ‣ password_compat: ‣ PHP Password Hashing Functions: http://php.net/password https://wiki.php.net/rfc/password_hash https://github.com/jeremykendall/password-validator https://github.com/ircmaxell/password_compat Wednesday, January 29, 14
  84. 84. Resources ‣ Original password_hash RFC: ‣ Password Validator: ‣ password_compat: ‣ OpenWall phpass: ‣ PHP Password Hashing Functions: http://php.net/password https://wiki.php.net/rfc/password_hash https://github.com/jeremykendall/password-validator https://github.com/ircmaxell/password_compat http://www.openwall.com/phpass/ Wednesday, January 29, 14
  85. 85. Thanks! jeremy@jeremykendall.net http://about.me/jeremykendall @jeremykendall http://365.jeremykendall.net Wednesday, January 29, 14
  • luv2code

    Jan. 30, 2018
  • VivekKumar21

    Jul. 14, 2015
  • ashnazg

    Jan. 30, 2014

Introduces the new PHP password hashing functions and Password Validator library.

Views

Total views

4,316

On Slideshare

0

From embeds

0

Number of embeds

20

Actions

Downloads

25

Shares

0

Comments

0

Likes

3

×