> > RFC: > https://wiki.php.net/rfc/password_hash#the_api_does_not_support_pepper >
Thanks, I missed it... I strongly disagree with this, the 'pepper' IMHO is a best practice for web applications. I prefer to live with the idea that an attacker may comprise some database(s) in the 'cloud' but not the physical machine where you can store the pepper either in a file, share memory etc... As far as missing research papers, it's hard to do research on the benefit of keeping something private. If/when databases do get hacked, it's rarely released to the public how it happened. When it comes to web applications, my opinion is odds are greater in SQL injection / data theft success then gaining physical access to the machine. #1 SQL Injection: https://www.owasp.org/index.php/Top_10_2010 Sure it's an added layer of security but it's hard to deny the 'pepper' can't help protect passwords against the #1 risk for php/web applications. A pepper in UNIX crypt() itself would be obviously useless, the user already has access to the physical machine (cat /etc/passwd). -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
