[OWASP_PHPSEC] new libraries- PHP Password Management Library

johanna curiel curiel johanna.curiel at owasp.org
Mon May 27 13:53:43 UTC 2013


Hi Rahul,

One I think is very important and can start with is PHP Password management.

Is it clear which rules can you implement in this library?
We need to break down for each section specific rules such as:
What kind of Encryption will be used for password storing?

I would like to see a breakdown of how each section will be implemented.

For example

>From your proposal you mentioned:

3.      *PHP Password Management Library*

This would be a lightweight library for:

        i.            *Enforcing secure passwords:* There are many sources
that cite most common passwords that must be avoided. e.g.
here<http://gcn.com/articles/2012/10/23/25-worst-passwords-2012.aspx>and
here <http://www.passworddragon.com/avoid-common-passwords>. Also many
reliable sources including
OWASP<https://www.owasp.org/index.php/Password_length_%26_complexity>provides
general guidelines for password length and complexity. This
library would implement these guidelines for forcing users to keep a strong
and secure password by combining heuristics, entropy, pattern recognition
etc.

Rules (among others)

 Four characters, A-Z, all uppercase, results in 26^4 (456,976)
combinations, the
equivalent of a 52-bit key.
•Four characters, alphanumeric, upper- and lowercase, results in 62^4
combinations, the equivalent of a 124-bit key.
• Four ASCII-printable characters (including space) results in a staggering
94^4
possible combinations, or 78 million combinations.



      ii.            *Password Storage and Salting:* Password theft on many
websites discloses the password storage scheme, the weakness of that
scheme, and often discloses a large population of compromised credentials
that can affect multiple web sites or other applications. OWASP provides a
cheat sheet and general guidelines
here<https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet>for
developers to build a secure storage scheme. This library would follow
these guidelines and will provide the developers with a ready
implementation of these guidelines.


Which algorithm is recommended?

RSA, 3DES?

Hashing: SHA256


Please research which one you consider the best for this part o fthe
library or can we offer different types?



    iii.            *Password generation scheme updating:* The guidelines
for secure passwords keeps updating as new problems are introduced. Thus
our library’s implementation would have functions that makes this task easy
for developers to change the scheme which generates good cryptographically
secure passwords. e.g. Recent Linkedin attack.


    iv.            *Password Reusability:* This library would restrict
users from using old passwords as new passwords. This could be implemented
by keeping the hash of user's last ‘n’ passwords and checking if the new
password matches any of those hashes.

      v.            *Transaction Passwords:* A second way of authentication
(such as a separate transaction password or a temporary password sent to
mobile phones) is sometimes needed for secure and sensitive transactions.
e.g. online money transfer.


Regards


Johanna
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130527/d4820dc4/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list