Proposed Secure Password Hashing API in PHP 5.5

PHP 5.5 will be gaining a simpler and more newbie-friendly way to securely hash passwords. As those who are active in the PHP community are all to well aware of, it is quite a trial to educate everyone on properly securing passwords in their applications. Even large web companies are routinely outed for their lax measures. Sometimes they’re stored in plain text and sometimes they might as well be, like when weak MD5 or SHA1 hashes are used. Remember the big scandal when Gawker Media’s database of user passwords was leaked, and the weak hashes were solved within days? Or more recently, when it was discovered that Pandora not only stored your password in cleartext, but transmitted it that way as well? It seems that at least two well-known websites have a similar “facepalm” moment every year.

The PHP contributors want to help combat this problem—at least among companies using PHP, obviously the issue is by no means limited to PHP developers—with the new API. A couple of simple functions that even the most novice of developers can use will automatically take care of the hashing using bcrypt with a reasonable work factor.

The proposed syntax is something like this:

//hashing a new password
$hash = password_hash($password_entered);

//Checking a password
if (password_verify($password_entered, $hash_from_database)) {
    //password is valid if password_verify() returns true
}

For compatibility with versions of PHP prior to 5.5, you can even download a PHP implementation that will automatically be disabled in a PHP 5.5 environment.

The new Secure Password Hashing API in PHP 5.5 [GitHub]

Mozilla Persona: Single Sign On Finally Done Right?

Mozilla Persona, the rebranded name for the foundation’s BrowserID project, just reached its public beta stage. The goal of the project is to create a distributed identity system that removes the need to register and log in to every site you visit. You’ll have…

WooThemes Redesigns, Adopts Their Own WooCommerce Plugin

WooThemes launched a new redesign of their site this month, bringing some interesting changes along with the more modern style. The navigation has been restructured to highlight their non-theme offerings, making it clear that WooThemes is very serious about their plugin offerings (especially WooCommerce).…

WordPress to Dump Blogroll Feature in 3.5

Starting in WordPress 3.5, the Links feature will no longer be a part of the WordPress core. The blogroll feature will be available as a plugin, Link Manager, so it’s not completely going away. Though it could be more convenient to use the Menus…

Pandora Password Debacle

There’s a post going around on Google Plus that shows off a glaring security hole in the popular internet radio site Pandora. If you use FireBug (or the HTML inspection tool in your browser of choice), you can see that the Password field on…

BlogBuzz September 22, 2012

Archive Data for One Cent per Month with Amazon Glacier

Amazon recently launched their latest Web Services Product, which aims to help you store data for the long term. Amazon Glacier costs one cent per gigabyte per month to store data, with some limitations on the retrieval. It costs $0.12/GB to retrieve data if…

Ditching GoDaddy? Here Are Some Alternatives

Whether it’s because of the recent major outage, their brazen support for SOPA, or their longstanding questionable business practices, there are many reasons one may wish to avoid doing business with GoDaddy. (Archive.org has a mirror of the old NoDaddy site if you’re curious…

6 Articles You Should Read Before Storing Users’ Passwords

It’s 2012 and there are still an awful lot of high-profile websites leaking users’ passwords. Someone manages to snatch the database table, and then they crack the passwords, which are more often than not encrypted with weak MD5 or SHA1 hashes. It’s not enough…and…

BlogBuzz September 1, 2012