BLACKBELT

Development PHP Security

Authored by Corey Ballou

2 Comments

Secure PHP Authentication Revisited

Awhile back I had posted on the topic of Securing PHP User Authentication, Login, and Sessions. While the majority of methods for increasing obscurity remain true, the hashing algorithms used have become increasingly insecure. If you have not done so, I highly recommend reading the original article before continuing as it contains additional strategies not mentioned here. There are some inherent security considerations to take into account when using very fast hashing algorithms such as SHA1 or MD5. Modern day, multi-processor computers and GPUs can quickly brute-force passwords that weren’t encrypted with a very slow, secure algorithm. For these reasons, I have taken it upon myself to create a new, informative post on proper implementation of encryption using bcrypt with fallbacks on sha-256/512 with key stretching. At the end of this post you can find some external references as to why you should ditch MD5 and SHA1 in favor of bcrypt.

Secure Encryption Class using bcrypt

Below you will find a class which can easily be migrated to create a more robust and secure login authentication system for your sites. Likewise, it can just as easily be used for one-way encryption

Example Encryption Usage

Below you will find an example of encrypting a string using the SecureHash class.

Example Password Verification

Below you will find an abridged example of verifying a user’s login credentials. The process has some additional steps outside the scope of this post, but they should be covered to give you an idea of how to implement this class fully. After a user enters their email address and password, your system needs to take the user’s email address and perform a database lookup to determine if a user account exists matching the supplied email address. If an account exists, you need to return the user’s encrypted password and salt from the matching database row. With the returned salt, you need to run the encryption over the user supplied password to generate an encrypted password. We use this encrypted password and compare it to the returned encrypted password from the database to check for equality. If the two encrypted passwords are the same, the user supplied the correct password and we can log him in. It’s up to you to implement the database calls and login; it’s only been pseudo-coded in for completeness.

With that being said, please stop using anything other than bcrypt on your sites. You’re putting yourself and your users at risk when you do. Below are some articles of particular interest on why you should be using bcrypt as opposed to others:

Recommended Reading

Author: Corey Ballou

Corey is a seasoned PHP developer specializing in custom web applications development. He is an avid blogger, open source contributor, beer lover, homebrewer, entrepreneur, and Queen City PHP co-organizer. You can follow him on Twitter @cballou or visit his website coreyballou.co.

  • http://xeoncross.com/ David

    You can actually do this all in a single line: https://gist.github.com/2407214

    After all, unlike the hash – the salt doesn’t need to be “un-guessable” – just random.

    • http://www.coreyballou.com/ Corey Ballou

      I like the conciseness, thanks for linking. Wrap that bad boy up in a class, add a validation function, and call it a day. I’m only suggesting that because it makes it more plug-and-play with all of the MVC frameworks.