Upgrade crypt usages to password_hash, support Argon2 #250

Open
opened 9 months ago by ChristopherCormier · 0 comments

It might be nice to have the option of stronger hashing for installations that need bulletproof security. With the default crypt() function that TinyIB uses, it seems like it'd be trivial to use SHA-512 instead of Blowfish, and that would already be a decent improvement with a trivial change.

However, it seems like PHP is recommending use of password_hash() over crypt() these days. It mentions that it's compatible with crypt(), and "password hashes created by crypt() can be used with password_hash()".

password_hash() would allow the use of Argon2 for hashing, providing better protection. It also can use a random salt instead of your tripseed, likely keeping things secure even if your tripseed leaks.

Argon2 also provides better flexibility for performance, as the user can individually set the memory cost of computing the hash, the maximum amount of time it should take, and the number of threads used.

Support-wise, it requires PHP to be compiled with libargon2 support. Both PHP 7.4 and PHP 8.0 as they come in Debian are compiled with it and would work fine, but I haven't checked other distributions. When Argon2 is unavailable, password_hash() would still be usable, but it would have to use Blowfish instead.

With password_hash(), I imagine it would be best if Blowfish is still used as the default, but Argon2 is made available in the settings to those who'd want it.

It might be nice to have the option of stronger hashing for installations that need bulletproof security. With the default crypt() function that TinyIB uses, it seems like it'd be trivial to use SHA-512 instead of Blowfish, and that would already be a decent improvement with a trivial change. However, it seems like PHP is recommending use of password_hash() over crypt() these days. It mentions that it's compatible with crypt(), and "password hashes created by crypt() can be used with password_hash()". password_hash() would allow the use of Argon2 for hashing, providing better protection. It also can use a random salt instead of your tripseed, likely keeping things secure even if your tripseed leaks. Argon2 also provides better flexibility for performance, as the user can individually set the memory cost of computing the hash, the maximum amount of time it should take, and the number of threads used. Support-wise, it requires PHP to be compiled with libargon2 support. Both PHP 7.4 and PHP 8.0 as they come in Debian are compiled with it and would work fine, but I haven't checked other distributions. When Argon2 is unavailable, password_hash() would still be usable, but it would have to use Blowfish instead. With password_hash(), I imagine it would be best if Blowfish is still used as the default, but Argon2 is made available in the settings to those who'd want it.
tslocum added the
enhancement
label 9 months ago
tslocum changed title from [Request] An option for stronger hashing to Upgrade crypt usages to password_hash, support Argon2 2 months ago
Sign in to join this conversation.
No Milestone
No Assignees
1 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.