[OWASP_PHPSEC] new libraries- PHP Password Management Library

Johanna Curiel johanna.curiel at owasp.org
Tue May 28 05:39:55 UTC 2013

So do I get the feeling that I have been left out of this project? 

On 27 mei 2013, at 09:53, johanna curiel curiel <johanna.curiel at owasp.org> wrote:

> Hi Rahul,
> One I think is very important and can start with is PHP Password management.
> Is it clear which rules can you implement in this library? 
> We need to break down for each section specific rules such as:
> What kind of Encryption will be used for password storing?
> I would like to see a breakdown of how each section will be implemented.
> For example
> From your proposal you mentioned:
> 3.      PHP Password Management Library
> This would be a lightweight library for:
>         i.            Enforcing secure passwords: There are many sources that cite most common passwords that must be avoided. e.g. here and here. Also many reliable sources including OWASP provides general guidelines for password length and complexity. This library would implement these guidelines for forcing users to keep a strong and secure password by combining heuristics, entropy, pattern recognition etc.
> Rules (among others)
>  Four characters, A-Z, all uppercase, results in 26^4 (456,976) combinations, the 
> equivalent of a 52-bit key. 
> •Four characters, alphanumeric, upper- and lowercase, results in 62^4 
> combinations, the equivalent of a 124-bit key. 
> • Four ASCII-printable characters (including space) results in a staggering 94^4 
> possible combinations, or 78 million combinations. 
>       ii.            Password Storage and Salting: Password theft on many websites discloses the password storage scheme, the weakness of that scheme, and often discloses a large population of compromised credentials that can affect multiple web sites or other applications. OWASP provides a cheat sheet and general guidelines here for developers to build a secure storage scheme. This library would follow these guidelines and will provide the developers with a ready implementation of these guidelines.
> Which algorithm is recommended? 
> RSA, 3DES?
> Hashing: SHA256
> Please research which one you consider the best for this part o fthe library or can we offer different types?
>     iii.            Password generation scheme updating: The guidelines for secure passwords keeps updating as new problems are introduced. Thus our library’s implementation would have functions that makes this task easy for developers to change the scheme which generates good cryptographically secure passwords. e.g. Recent Linkedin attack.
>     iv.            Password Reusability: This library would restrict users from using old passwords as new passwords. This could be implemented by keeping the hash of user's last ‘n’ passwords and checking if the new password matches any of those hashes.
>       v.            Transaction Passwords: A second way of authentication (such as a separate transaction password or a temporary password sent to mobile phones) is sometimes needed for secure and sensitive transactions. e.g. online money transfer.
> Regards
> Johanna
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130528/da4702d9/attachment.html>

More information about the OWASP_PHP_Security_Project mailing list