| Encryption |
|
I'm sorry you see it that way. I'm not sure what best practice would be for the first example, but for the second example you should still hash it. Hash the password you need to check, and then compare it (using password_hash) against the remaining history of passwords. Security best practices with anything password-like are to use a one-way hash so that it's impossible to decrypt it. That's not a personal opinion.
As Jim hinted at, we implemented a couple different tries at fixing the potential security edge cases but kept finding other security issues with. So, instead of releasing something with known security flaws, we opted against including it. Especially with 7.2 including libsodium out of the box and knowing it wouldn't be long before we could include a wrapper on that. If you truly need encryption, you're encouraged to use libsodium for your project. Oh - and NIST's current password guidelines no longer recommend comparing keeping your password against a history of passwords, or forcing repeated password changes, etc. I realize that many enterprise companies still want it, but I agree with NIST here that it causes more security holes than it patches up due to human psychology. I actually have to prepare an estimate for an existing client to implement the older composition, history, etc style security "upgrades" on his site. Not looking forward to it. 
|
| Messages In This Thread |
|
Encryption - by iceleo - 01-22-2018, 07:54 PM
RE: Encryption - by ciadmin - 01-22-2018, 08:38 PM
RE: Encryption - by iceleo - 01-23-2018, 07:38 AM
RE: Encryption - by kilishan - 01-23-2018, 11:50 AM
RE: Encryption - by iceleo - 01-23-2018, 08:53 PM
RE: Encryption - by ciadmin - 01-23-2018, 09:13 PM
RE: Encryption - by kilishan - 01-23-2018, 09:17 PM
RE: Encryption - by iceleo - 01-23-2018, 09:38 PM
|
