Cphalcon: Implement Argon2 for password hashing
With the release of PHP 7.2, Argon2 has been available for use for password hashing under the PASSWORD_ARGON2I constant. The upcoming release of PHP 7.3 will build on this and enable PASSWORD_ARGON2D and PASSWORD_ARGON2ID.
Unlike BCRYPT, ARGON2 is resistant to GPU based attacks as it accesses the memory array in a password dependent order, which reduces the possibility of time鈥搈emory trade-off attack.
https://en.wikipedia.org/wiki/Argon2
https://password-hashing.net
https://github.com/P-H-C/phc-winner-argon2
http://php.net/manual/en/function.password-hash.php
RayHughes
All 8 comments
I dont see what needs implimenting? If you use php7.2 you can just use password_hash('password', PASSWORD_ARGON2I) What does phalcon need to impliment here? Unless your asking phalcon to impliment argon to be used on versions < 7.2?
JABirchall
on 14 Nov 2018
I dont see what needs implimenting? If you use php7.2 you can just use
password_hash('password', PASSWORD_ARGON2I)What does phalcon need to impliment here? Unless your asking phalcon to impliment argon to be used on versions < 7.2?
Yes you are correct. However, Phalcon has a security wrapper (https://docs.phalconphp.com/hu/3.4/security) that is injectable through the DI container. Using the security component allows users to call it throughout there module with pre-configured properties etc.
Yes you could technically write a wrapper around the password_hash() method and pre configure it yourself but why reinvent the wheel.
This is a framework after all and in its current form it does provide password hashing abilities, so it should either improve on them or drop them completely.
RayHughes
on 14 Nov 2018
Yes, it is a framework, which can be "overriden"
- Extend Phalcon\Security, override needed part
- Set in DI for
security\MyApp\Lib\Whatever\MySecurity
Problem for Argon can be that it needs library/extension and these checks will be done for all "phalcon customers" when upgraded.
Other point - use OAuth2/JWT/SSO with authentication servers (quite easy with Docker deployment) so You can forget about passwords, but will have bit more work to implement authorization layer
ViltusVilks
on 15 Nov 2018
Yes you are correct. However, Phalcon has a security wrapper (https://docs.phalconphp.com/hu/3.4/security) that is injectable through the DI container.
Ahh ok, So maybe would be best to NFR a $security->setPasswordHashAlgorithme(int $algorithmeConst)
JABirchall
on 16 Nov 2018
Not an available option which was the point for my issue...
RayHughes
on 16 Nov 2018
@RayHughes Thats what I mean, Maybe phalcon should add such a method to allow devs choose which hashing function to use since PHP has so many now and are prolly going to add more.
JABirchall
on 29 Nov 2018
@JABirchall my bad on the interpretation and I agree with your suggestion.
RayHughes
on 29 Nov 2018
Closing in favor of #13855. Will revisit if the community votes for it, or in later versions.
niden
on 24 Feb 2019
Related issues
EquaI1ty
路
3Comments
sharptry
路
3Comments
ruudboon
路
3Comments
TimurFlush
路
3Comments
ismail0234
路
3Comments
Most helpful comment
I dont see what needs implimenting? If you use php7.2 you can just use
password_hash('password', PASSWORD_ARGON2I)What does phalcon need to impliment here? Unless your asking phalcon to impliment argon to be used on versions < 7.2?