Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20100527234541.GA19180@openwall.com>
Date: Fri, 28 May 2010 03:45:41 +0400
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com
Subject: [openwall-announce] How to manage a PHP application's users and passwords; JtR & OpenMP

Hi,

This is to announce two items at once:

1. Last month, I wrote and submitted a lengthy article for the Month of
PHP Security (MOPS).  This article, entitled "How to manage a PHP
application's users and passwords", is now published on the MOPS website:

http://php-security.org/2010/05/26/mops-submission-10-how-to-manage-a-php-applications-users-and-passwords/index.html

In this article/tutorial, I will guide you through the steps needed to
introduce proper (in my opinion at least) user/password management into
a new PHP application.  I will start by briefly explaining
password/passphrase hashing and how to access the database safely.  Then
we will proceed through several revisions of the sample program.  We'll
start with a very simple PHP program capable of creating new users only
and having some subtle issues.  We will gradually improve this program
adding functionality (logging in to existing user accounts, changing
user passwords, and enforcing a password policy) and "discovering" and
dealing with the issues.  We will also briefly touch many related topics.

This article also serves as documentation on introducing phpass, our PHP
password hashing framework, into a PHP application.  A tarball and ZIP
archive with the article (HTML) along with sample programs is available
for download from the phpass homepage:

http://www.openwall.com/phpass/

The table of contents is:

Introduction
Password/passphrase hashing
	Salting
	Stretching
	Choice of the underlying cryptographic primitive
	phpass - the password/passphrase hashing framework for PHP applications
The database (and how to access it safely)
	SQL injections
		What SQL injections are
		How to deal with SQL injections
		Prepared statements with PHP and MySQL
	Employ the principle of least privilege
	Schema
The sample program is born
	How to create new users
	What if the user already exists?
	Avoid leaking server setup details
	How to differentiate MySQL errors
	The "Magic Quotes" issue
	Input filtering
How to authenticate existing users
How to change user passwords
How to enforce a password policy
	Future work
Timing attacks
Other related concerns
	Randomly-generated passwords/passphrases
	Randomness
	Resetting forgotten passwords/passphrases
	Online password guessing
	Denial of Service (DoS) attacks
	Password policy enforcement and usability concerns
	Challenge/response authentication
	Sessions
Licensing

That's it.  You may want to check out other material posted on the MOPS
website as well.

2. John the Ripper's implementation of OpenBSD-style Blowfish-based
crypt(3) hashes is being parallelized with OpenMP (which is readily
available with recent C compiler versions, including with gcc).  This is
expected to be made official with the next development release.
Meanwhile, there's a patch on the wiki:

http://openwall.info/wiki/john/patches

and here are benchmarks on 8-way x86-64 systems (Core i7 and Dual
quad-core Xeon):

http://www.openwall.com/lists/john-users/2010/05/08/1

and 32-way UltraSPARC T2 (quad-core, 8 threads per core):

http://www.openwall.com/lists/john-users/2010/05/16/2

The efficiency is very close to 100% (vs. multiple separate processes).
The quad-cores with SMT (Core i7 and UltraSPARC T2) show a 5.5x speedup
(over a single-process build/run of unpatched JtR 1.7.5).  The "true"
8-core system shows a 7.9x speedup.

An advantage of this approach is in its transparency and reliability -
JtR parallelized in this way works as usual, including the
interrupt/restore functionality (only one .rec file is created).
A drawback is that this has to be implemented per hash type (and it's
been implemented for just one hash type so far).

Implementation for specific other hash types may be considered,
especially in response to commercial demand (the resulting code will be
available to everyone, as usual).  Please let me know if interested.

Thank you for reading this far!

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.