Using password_hash() functions

maltfield · February 15, 2020, 3:07am

Is it on the roadmap to make use of php’s built-in password hashing functions?

https://www.php.net/manual/en/ref.password.php

This is the standard best-practice way to store passwords, and would be much improved over the current implementation, even after CVE-2020-8547 was fixed in phpList v3.5.1.

Unfortunately, I see that phpList’s minimum system requirements lists php v5.3.3, but php’s password hashing functions were not introduced until php v5.5.5. Is there a strong use case for supporting <= 5.5.5? If not, could it be bumped to php v5.5.5 so phpList can make use of password_hash(), password_verify(), etc?

Jessie · February 15, 2020, 4:09pm

Great advice thank to @maltfield for sharing thisgood practice

alexanderpas · February 15, 2020, 6:48pm

Actually, the minimum PHP version to be able to safely use the PHP password functionality can be as low as PHP 5.3.7, due to the availability of ircmaxell/password_compat on packagist.

This makes the modern password functions available for PHP starting from PHP 5.3.7

github.com

ircmaxell/password_compat/blob/master/README.md

password_compat
===============

[![Build Status](https://travis-ci.org/ircmaxell/password_compat.png?branch=master)](https://travis-ci.org/ircmaxell/password_compat) [![Code Climate](https://codeclimate.com/github/ircmaxell/password_compat/badges/gpa.svg)](https://codeclimate.com/github/ircmaxell/password_compat)

This library is intended to provide forward compatibility with the [password_*](http://php.net/password) functions that ship with PHP 5.5.

See [the RFC](https://wiki.php.net/rfc/password_hash) for more detailed information.


Requirements
============

This library requires `PHP >= 5.3.7` OR a version that has the `$2y` fix backported into it (such as RedHat provides). Note that Debian's 5.3.3 version is **NOT** supported.

The runtime checks have been removed due to this version issue. To see if password_compat is available for your system, run the included `version-test.php`. If it outputs "Pass", you can safely use the library. If not, you cannot. 

If you attempt to use password-compat on an unsupported version, attempts to create or verify hashes will return `false`. You have been warned!

The reason for this is that PHP prior to 5.3.7 contains a [security issue with its BCRYPT implementation](http://php.net/security/crypt_blowfish.php). Therefore, it's highly recommended that you upgrade to a newer version of PHP prior to using this layer.

This file has been truncated. show original

This means phpList would only need to raise the minimum version of PHP from 5.3.3 to 5.3.7 and add ircmaxell/password_compat as a requirement via composer to be safely use the modern password hashing functionality.

A blog post on how to update passwords from the old hashes to the new hases can be found here.