PHP :: Request #78969 :: Expose php_password_algo

Request #78969	Expose php_password_algo_default() to userland
Submitted:	2019-12-16 12:14 UTC	Modified:	2020-01-23 00:48 UTC
From:	craig at craigfrancis dot co dot uk	Assigned:	kocsismate (profile)
Status:	Closed	Package:	*General Issues
PHP Version:	7.4.0	OS:	N/A
Private report:	No	CVE-ID:	None

View Developer Edit

[2019-12-16 12:14 UTC] craig at craigfrancis dot co dot uk

Description:
------------
PHP 7.3 allows you to determine if the default password hashing algorithm will be bcrypt.

PHP 7.4 defines PASSWORD_DEFAULT as NULL, so you can't tell what password_hash() will use.

For most systems this is fine, but bcrypt does have a couple of little issues (the limit of 72 characters for many implementations, and how it handles the NULL character).

So following the advice from ParagonIE and Dropbox, I do a quick hash of the password before passing it into password_hash(). But this work around won't be necessary for Argon2, or future password hashing methods.

https://stackoverflow.com/questions/59273258/identifying-what-password-default-will-be-in-php-7-4
https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016#why-scrypt
https://blogs.dropbox.com/tech/2016/09/how-dropbox-securely-stores-your-passwords/

Test script:
---------------
    $password = normalizer_normalize($password, Normalizer::FORM_KD);

    if (PASSWORD_DEFAULT === PASSWORD_BCRYPT) {
        $password = base64_encode(hash('sha384', $password, true));
    }

    $hash = password_hash($password, PASSWORD_DEFAULT);

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-12-16 15:05 UTC] requinix@php.net

-Summary: No way to tell if bcrypt will be used in password_hash by default +Summary: Expose php_password_algo_default() to userland -Type: Bug +Type: Feature/Change Request -Package: hash related +Package: *General Issues

[2019-12-16 15:05 UTC] requinix@php.net

Note that new hashing algorithms are mandated to only be added during major (x.0.0) or minor (x.y.0) releases. So for the lifetime of PHP 7.4, bcrypt is the default.

> I do a quick hash of the password before passing it into password_hash()
This decreases the overall security of the hash. Even if it's "boring cryptography", please don't do this. It's a matter of principle: don't hash hashes.

[2019-12-16 16:20 UTC] craig at craigfrancis dot co dot uk

> "This decreases the overall security of the hash [...] don't hash hashes"

Not so for bcrypt... which is an old-ish hashing algorithm, with 2 fairly well known issues (fortunately they are also minor, so most programmers shouldn't care).

The quick hash before solves those issues (this is why Scott Arciszewski and Dropbox do it); but you are right in general, this would be bad for future algorithms (such as Argon2), and is why I only want to do this for bcrypt, while being ready for when PASSWORD_DEFAULT moves away from bcrypt.

[2020-01-21 23:25 UTC] kocsismate@php.net

-Assigned To: +Assigned To: kocsismate

[2020-01-21 23:28 UTC] kocsismate@php.net

Hi Craig,

I've just opened a PR in order to add the missing functionality: https://github.com/php/php-src/pull/5104

Don't hesitate to give feedback about the (preliminary) implementation.

[2020-01-22 00:23 UTC] craig at craigfrancis dot co dot uk

Thanks kocsismate, I like your idea of matching `password_get_info()` with the ability to see the default options as well, that’s a really nice touch.

[2020-01-22 21:59 UTC] kocsismate@php.net

The ship is sailing in another direction... :) So it might be possible to fix the issue in a next minor version of PHP 7.4. See the discussion in the PR for context.

[2020-01-23 00:48 UTC] craig at craigfrancis dot co dot uk

Thanks kocsismate, I think that works as well, and is better for backwards compatibility reasons.

But it might be worth keeping your idea for returning the default options at some point, not that I *need* it, but someone might (says he knowing that we should only add things to PHP that people will actually use).

[2020-01-27 12:58 UTC] kocsismate@php.net

Automatic comment on behalf of kocsismate@woohoolabs.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ea1b8788773fe9d5fd517704da332f0725714b8b
Log: Fix #78969 Make PASSWORD_DEFAULT match PASSWORD_BCRYPT instead of being null

[2020-01-27 12:58 UTC] kocsismate@php.net

-Status: Assigned +Status: Closed

[2020-01-27 13:05 UTC] kocsismate@php.net

Automatic comment on behalf of kocsismate@woohoolabs.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ea1b8788773fe9d5fd517704da332f0725714b8b
Log: Fix #78969 Make PASSWORD_DEFAULT match PASSWORD_BCRYPT instead of being null

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC