On Tue, Jul 31, 2012 at 4:28 PM, Jonathan Bond-Caron <jbo...@openmv.com> wrote: > Thanks, I missed it... > > I strongly disagree with this, the 'pepper' IMHO is a best practice for web > applications. > > I prefer to live with the idea that an attacker may comprise some > database(s) in the 'cloud' but not the physical machine where you can store > the pepper either in a file, share memory etc... > > As far as missing research papers, it's hard to do research on the benefit > of keeping something private. If/when databases do get hacked, it's rarely > released to the public how it happened. > > When it comes to web applications, my opinion is odds are greater in SQL > injection / data theft success then gaining physical access to the machine. > #1 SQL Injection: https://www.owasp.org/index.php/Top_10_2010 > > Sure it's an added layer of security but it's hard to deny the 'pepper' > can't help protect passwords against the #1 risk for php/web applications. > > > A pepper in UNIX crypt() itself would be obviously useless, the user already > has access to the physical machine (cat /etc/passwd).
If you really want to use a secret you should encrypt the resulting password hash with a proper encryption algorithm. Hashing algorithms are not designed for this purpose. Nikita -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
