Hacker News new | ask | show | jobs
by supersan 3510 days ago
I often store my password using PHP's password_hash('password', PASSWORD_DEFAULT) function. This function has been baked into the language since version 5.0 I think. I'm sure most other languages must have a similar function too, yet so many sites save the password in plain text. Doesn't make any sense.
3 comments
inglor 3510 days ago
Major props to Anthony https://github.com/ircmaxell for adding this as a language supported feature to PHP as well for his work on techniques for preventing injection.

I work with C#, Java, Python Go and JS on backends a lot and no other language I worked with had such a simple but secure API.

link
avinassh 3509 days ago
Not a std lib in Python, but Django has nice API as well for saving the password [0].

    from django.contrib.auth.models import User
    u = User.objects.get(username='john')
    u.set_password('new password')
    u.save()
And here is the code which does all the magic - [1]. You can also generate nice passwords [2], use many available different hashers [3] Or write your own [4]

[0] - https://docs.djangoproject.com/en/dev/topics/auth/default/#c...

[1] - https://github.com/django/django/blob/stable/1.10.x/django/c... and https://github.com/django/django/blob/stable/1.10.x/django/c...

[2] - https://docs.djangoproject.com/en/dev/topics/auth/customizin...

[3] - https://docs.djangoproject.com/en/dev/topics/auth/passwords/...

[4] - https://docs.djangoproject.com/en/dev/topics/auth/passwords/...

link
EE84M3i 3509 days ago
One really nice feature that Django has that is rare and well done is the password upgrading workflow. Not only do they let your app support multiple algorithms at the same time (with one preferred), they also let you chain algorithms during upgrade [0], so if you have a legacy database with all SHA1 passwords, you can upgrade all of them to PBKDF2. At first these will all be PBKDF2(SHA1(pw)), and they will get migrated to just PBKDF2(pw) as users log in, if you set PBKDF2 to your preferred algo.

Note that of course the password algorithms are typed, so this doesn't cause a problem in the corner case that a user's password is a sha1 hash of something else.

[0] - https://docs.djangoproject.com/en/dev/topics/auth/passwords/...

link
mabcat 3509 days ago
Now how did I not know about `make_random_password`? Solid tip, thanks!
link
chucksmash 3510 days ago
I can't speak for all of those languages, but this functionality is often provided at the web framework level in Python and it fits quite nicely there. Since your web framework typically also knows where you are storing your passwords, you can do nice things like increase the number of bcrypt rounds in a settings file and have users transparently migrated as they login which I'd assume doesn't really work at the language level.

Still, a pragmatic answer and, given PHP started life as a web framework, fitting :).

link
slrz 3510 days ago
Go seems pretty nice:

  func GenerateFromPassword(password []byte, cost int) ([]byte, error)
  func CompareHashAndPassword(hashedPassword, password []byte) error
[from golang.org/x/crypto/bcrypt]
link
stephenr 3510 days ago
v5.5 actually, but there is a userland library to provide the same functionality - https://github.com/ircmaxell/password_compat
link
merb 3510 days ago
well on java it's at least:

    PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt.getBytes(StandardCharsets.UTF_8), iterations, digestSize)
    SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256")
    byte[] hash = skf.generateSecret(spec).getEncoded()
ant then using MessageDigest.isEqual (on newer jvm, older ones had a bug up to 6 45 or so) to compare the passwords.

well the biggest problem is probably generating a truly random salt with SecureRandom, which will slow down your program if used incorrect.

link