Password (in)security


How to generate and store passwords in a secure way Posted by on October 11, 2012

Update: strarting from PHP 5.6 you can use password_hash() and password_verify() to store user's password. They use bcrypt as default algorithm.

A couple of weeks ago I presented the talk "Password (in)security, how to generate and store passwords in a secure way" during the Metro Olografix CAmp (MOCA) in Pescara (Italy). MOCA is an italian hacker camp inspired by the north european camp like the Chaos Communication Camp.

You can find the slides of the presentation here:

During the talk I tried to give an answer to the problem of how to generate and store a user's password in a secure way. I discussed the problem from the point of view of a user that have to generate a password, that should be "robust" and easy to remember, and from the point of view of a developer than must store the user's password somewhere and wants to be sure that no one can access to the content, not even the administrator of the system.

I discussed of some recent passwords attacks to some famous web site like Linkedin, Yahoo, Last.fm, etc. I showed how to apply a brute force attack using the power of GPUs and how is easy to attack passwords stored using MD5/SHA1 with or without a salt value. I introduced the Pbkdf2, bcrypt, and scrypt algorithms that can be used to store a user's password with a good security level. I showed some examples of usage using the PHP scripting language.

If you are a PHP developer I suggest to have a look to the open source component zend-crypt of the Zend Framework project that supports all the mentioned algorithms.