We have seen many websites having their databases with sensitive information like passwords leaked. Recently, we heard LinkedIn having troubles, I also remember GOMTV asking their customers to change their passwords. Anyway, I had to change all my passwords twice since fall 2011. The first big mistake I realized is that I use the same email/password EVERYWHERE. This is a very bad practice. First of all, I wanted to make sure all the websites we’ve developed recently provide a decent security in matter of hashing.

My preferred hashing method in PHP :

I used to use salted sha512 to secure my passwords. I understood recently that “hashing” methods are bad at preventing rainbow tables or brute-force attacks. Why? Because they are meant to be fast, to hash a big file very quickly, which is exactly what you DO NOT want with your passwords. You want the “hashing” method to be slow and “pain in the ass” for the CPUs. Slower your hashing function, increase your security. My old hashing function is something like this :

$siteLongKey = '5efd8123878793f88bf1362905ae209794a8602f92969a67862b925fd6e509';

    function hashPassword($password, $nonce = '') {
      global $siteLongKey;    
      return hash_hmac('sha512', $password . $nonce, $siteLongKey);
    }

It is way better than md5 or sha1, but it is not something we can call “hard to reverse”.

Portable PHP Password Framework

After researching for my project Cloakmy, I figured the best way to hash passwords in PHP is to use the framework PHPass. It is using Bcrypt, which is pretty secure in terms of complexity. You can configure the number of rounds, knowing that the complexity of the hash increases exponentially and thus the time needed to verify the hash. If you plan to use it on a high-demand platform, you should consider lowering the number of rounds a bit.

$rounds = 10;
$t_hasher = new PasswordHash($rounds, FALSE);

$correct = 'test12345';
$hash = $t_hasher->HashPassword($correct);

print 'Hash: ' . $hash . "\n";

$check = $t_hasher->CheckPassword($correct, $hash);
if ($check) $ok++;
  print "Check correct: '" . $check . "' (should be '1')\n";

User Behavior

Password Strength

What I would recommend in terms of user behavior is to have a different complex password for each of the services you are using. Using a centralized password manager like LastPass to generate random passwords and store them in your secure vault, it’s free, and the premium is $12/year. I do not know any of my passwords (Facebook, Twitter, LinkedIn, etc..); they are all randomly generated passwords. The only password I know is the master password of my vault. In case one of those services fails and my password is leaked, I do not have to worry about any of my other accounts.

Leave a Reply