ayonkhan — 2013-01-29T17:07:50-05:00 — #1
I've been using portable PHP password hashing framework to hash password these days. I was wondering if it is safe the directly pass $_POST['password'] into CheckPassword method?
// get hashed password from database
$pwHash = new PasswordHash(8, FALSE);
$isMatch = $pwHash->CheckPassword($_POST['password'], $hasedPassword);
kylewolfe — 2013-01-29T17:16:33-05:00 — #2
Just curious, where are you getting $hasedPassword from that you are passing into CheckPassword()?
ayonkhan — 2013-01-29T17:19:59-05:00 — #3
kylewolfe — 2013-01-29T17:23:51-05:00 — #4
I'm a little confused as to what this "framework" is doing then. There could only possibly be a few lines of code behind that function to encrypt / salt the provided pass. Actually if your pulling the hashed pwd yourself, then it could only be a static salt which is garbage anyways.
Short answer, yes it should be fine to pass POST directly to that script. I'd have a look around at some threads / pages on this topic though. Since your concerned with security, you'll gain experience + more security from writing something yourself after learning a bit more on the topic. There's not too much to it
EDIT: For a long winded discussion that didn't really get us anywhere... http://www.sitepoint.com/forums/showthread.php?904383-Let-s-talk-security&highlight=talk+security Some interesting things came up there anyways.
ayonkhan — 2013-01-29T17:34:21-05:00 — #5
I think it's worth talking a peek. http://www.openwall.com/phpass/
And thanks for sharing that thread. Gonna read it in the morning.
kylewolfe — 2013-01-29T17:39:45-05:00 — #6
Eh, thanks but no thanks. Unless its retrieving my salt, hash, user input, checking user input, and then on success resalting and rehashing, I'm not interested. Even if it did all of that, we are only talking about 10-15 lines of code that I would much rather write myself.
system — 2013-01-29T19:34:40-05:00 — #7
If you are using php 5.3.7 or above, try this: https://github.com/ircmaxell/password_compat
jeff_mott — 2013-01-29T19:54:57-05:00 — #8
Yes, that's safe.