Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61893 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 62965 invoked from network); 31 Jul 2012 14:44:28 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 Jul 2012 14:44:28 -0000 Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.42 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@gmail.com X-Host-Fingerprint: 209.85.215.42 mail-lpp01m010-f42.google.com Received: from [209.85.215.42] ([209.85.215.42:64558] helo=mail-lpp01m010-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 73/CD-00342-B4FE7105 for ; Tue, 31 Jul 2012 10:44:27 -0400 Received: by lago2 with SMTP id o2so4333941lag.29 for ; Tue, 31 Jul 2012 07:44:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=VoAWtT+Ygg9QXxVtgXwIFJZ/gd6T6FO++tYRyhsuNZI=; b=aiyuh8LV6mu57MjoAYTLF37P0jSqa7BuyMQ6+XyPL71PEV+tdIVWZ1zmiqTIVTscYS 7C5t5VGbFNewg6hwgsW8uNsAie9o1Rp7UmM5GofoHyjRLErhRoik4ohRnWLyTskFuHEr BIYRCMdf3Z+M8sucXvniifQKm98Nms4MUoz43a5ebNBSVhh1eOapTOqDKRoJ6WOJYnvH sX/p40LFbiauzTumjvwNu6XBwItG6/RQbrqbg5R+US+AQL0oQqwMRZBx2Xoc58SugNTf OZrnNYAmF6dZEeAwQ3J+NZxyjhLG4FSL3V0x2aECCO4yLB/SHTJ4kXV1WmXRkg03IcMB /zIQ== MIME-Version: 1.0 Received: by 10.112.104.100 with SMTP id gd4mr6863931lbb.24.1343745864157; Tue, 31 Jul 2012 07:44:24 -0700 (PDT) Received: by 10.152.114.70 with HTTP; Tue, 31 Jul 2012 07:44:24 -0700 (PDT) In-Reply-To: <009401cd6f28$b71c69c0$25553d40$@com> References: <4FFF1831.8070902@sugarcrm.com> <005101cd6f18$9da38510$d8ea8f30$@com> <009401cd6f28$b71c69c0$25553d40$@com> Date: Tue, 31 Jul 2012 16:44:24 +0200 Message-ID: To: Jonathan Bond-Caron Cc: Anthony Ferrara , internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified password hashing functions From: nikita.ppv@gmail.com (Nikita Popov) On Tue, Jul 31, 2012 at 4:28 PM, Jonathan Bond-Caron wrote: > Thanks, I missed it... > > I strongly disagree with this, the 'pepper' IMHO is a best practice for web > applications. > > I prefer to live with the idea that an attacker may comprise some > database(s) in the 'cloud' but not the physical machine where you can store > the pepper either in a file, share memory etc... > > As far as missing research papers, it's hard to do research on the benefit > of keeping something private. If/when databases do get hacked, it's rarely > released to the public how it happened. > > When it comes to web applications, my opinion is odds are greater in SQL > injection / data theft success then gaining physical access to the machine. > #1 SQL Injection: https://www.owasp.org/index.php/Top_10_2010 > > Sure it's an added layer of security but it's hard to deny the 'pepper' > can't help protect passwords against the #1 risk for php/web applications. > > > A pepper in UNIX crypt() itself would be obviously useless, the user already > has access to the physical machine (cat /etc/passwd). If you really want to use a secret you should encrypt the resulting password hash with a proper encryption algorithm. Hashing algorithms are not designed for this purpose. Nikita