Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61892 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 60240 invoked from network); 31 Jul 2012 14:28:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 Jul 2012 14:28:23 -0000 Authentication-Results: pb1.pair.com header.from=jbondc@openmv.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=jbondc@openmv.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain openmv.com from 64.15.152.204 cause and error) X-PHP-List-Original-Sender: jbondc@openmv.com X-Host-Fingerprint: 64.15.152.204 mail.ca.gdesolutions.com Received: from [64.15.152.204] ([64.15.152.204:59766] helo=mail.ca.gdesolutions.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 8B/2D-00342-48BE7105 for ; Tue, 31 Jul 2012 10:28:23 -0400 Received: from localhost (localhost [127.0.0.1]) by mail.ca.gdesolutions.com (Postfix) with ESMTP id 1A3975DB4; Tue, 31 Jul 2012 10:28:18 -0400 (EDT) X-Virus-Scanned: amavisd-new at gdesolutions.com Received: from mail.ca.gdesolutions.com ([127.0.0.1]) by localhost (mail.ca.gdesolutions.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Lvbju2jApef; Tue, 31 Jul 2012 10:28:12 -0400 (EDT) Received: from djbondc (modemcable166.116-70-69.static.videotron.ca [69.70.116.166]) by mail.ca.gdesolutions.com (Postfix) with ESMTPSA id 855C25DAF; Tue, 31 Jul 2012 10:28:12 -0400 (EDT) To: "'Anthony Ferrara'" Cc: References: <4FFF1831.8070902@sugarcrm.com> <005101cd6f18$9da38510$d8ea8f30$@com> In-Reply-To: Date: Tue, 31 Jul 2012 10:28:11 -0400 Message-ID: <009401cd6f28$b71c69c0$25553d40$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ac1vH/GA8x6zKv43R5iLWHXbWo0JlAABWIPw Content-Language: en-ca Subject: RE: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified password hashing functions From: jbondc@openmv.com ("Jonathan Bond-Caron") > > RFC:=A0 > https://wiki.php.net/rfc/password_hash#the_api_does_not_support_pepper >=20 Thanks, I missed it...=20 I strongly disagree with this, the 'pepper' IMHO is a best practice for = web applications.=20 I prefer to live with the idea that an attacker may comprise some database(s) in the 'cloud' but not the physical machine where you can = store the pepper either in a file, share memory etc...=20 As far as missing research papers, it's hard to do research on the = benefit of keeping something private. If/when databases do get hacked, it's = rarely released to the public how it happened. When it comes to web applications, my opinion is odds are greater in SQL injection / data theft success then gaining physical access to the = machine. #1 SQL Injection: https://www.owasp.org/index.php/Top_10_2010 Sure it's an added layer of security but it's hard to deny the 'pepper' can't help protect passwords against the #1 risk for php/web = applications. A pepper in UNIX crypt() itself would be obviously useless, the user = already has access to the physical machine (cat /etc/passwd).