I'm working on a basic password system using the password_hash function, and was wondering about the need for the familiar 'Choose a password with uppercase, lowercase, number and symbol' rules.
PHP's password_hash automatically generates a strong random salt, adds it to the password and hashes the result. Then it outputs a final string that has three sections:
These sections are concatenated into a single string:
For example a password 'password' is processed as follows:
$password = 'password';
//using password_hash with Blowfish encryption
$hashtext = password_hash($password, PASSWORD_BCRYPT);
//user tries to log in with password $login
//which is hashed with the same encoder and salt as contained in $hashtext
if (password_verify ($login , $hashtext )) {
echo 'Password good';
}else {
echo 'Wrong password';
}
Assume that the $hashtext is stored in a database which later is hacked so that this is read and the encoding type and salt is known. Is the strength of the security now based solely on the strength of the password? ie the hacker sets up a function with the same encoder and salt value and runs through a dictionary of possible passwords until the resultant output is the same as $hashtext, confirming that the dictionary value being checked is the original password.
I assume that the randomness and complexity of the salt alone makes this process probably impractical, but would also making the original password p@55Word really add much to the security?
Yes, I realise that those are terrible choices for passwords!
Any help would be appreciated!
Many thanks, Kw
Salting, key-stretching, and password complexity rules have their own purposes and are not related to each other. The password_hash() function...
➽ makes sure, that there is no easier way to find the plaintext password, than with brute-forcing.
All these measures won't help if a user chooses a very weak password like 1234, because this is one of the first combinations an attacker will ever test. That's why password complexity rules where invented, in the hope that the users will choose stronger passwords.
This leads to the question, if such password complexity rules really make the passwords stronger (but this is independend of questions about hashing techniques). Here the discussion becomes a bit opinion based.
It is my own opinion, that complex rules will even decrease password security, because humans can't remember tons of strong passwords, and because they can interfere with good password schemes. People can get very inventive to circumvent such rules, the password Password-2017 will match most rules but is of course a very weak one. So my advice is to enforce only those two rules: