Picking a great password

December 2, 2012 | 5 comments

I was trying to find a simple, brief guide to picking great passwords, and came up short. Hopefully this simple advice is useful:

  1. Don’t pick a password; pick a pass phrase.
  2. Include letters of both cases, numbers, and punctuation characters. For bonus points, use “special” characters like é and î.
  3. Don’t pick something you’ll have to write down to remember. Never write down a password.
  4. Try not to use the same password for multiple sites.

Some examples of passwords I might use (you’ll have to think of new ones; each line is a single password):

  • “B0w T!es ar€ Coo7.”
  • ‘Th3re 4re W0rlds 0ut there where the Sky 1s burn1ng, 4nd th3 S3a’s 4sleep, 4nd th3 R1vers dr3am.’
  • “!€xtermin8″ “D3le7e!” “Dok-torr”

Letter substitutions like I’ve done above are not secure for single word passwords. Don’t rely on them! And they’re kind of fiddly anyway, so if the punctuation in the phrases above is too much, you could even simplify them:

  • “Bow Ties are Cool!!”
  • ‘There are worlds out there where the sky is burning, and the sea’s asleep, and the rivers dream.’
  • “Exterminate!” ‘Delete!’ “Dok-torr”

And if you really, really must record your passwords somewhere, the only solution I recommend is 1password. But I’d recommend not doing it.

More secure password hashing in PHP 5.5

September 12, 2012 | 1 comment

The most recent set of PHP releases suggest that the core development team are serious about keeping PHP at the forefront of web development technology, and addressing some of its legacy criticisms. I’ve previously talked about the JsonSerializable interface; now, PHP 5.5 is introducing an easier way to make password hashing more secure.

(What is password hashing, and why is it important for protecting your users’ privacy? Here’s a great introduction.)

Here’s the RFC, which was recently accepted. The idea is that too many people are using a naïve salting mechanism plus weak hash algorithm to store their passwords:

$hash = md5($password . $salt);

This is subject to attack on a bunch of different levels. bcrypt is the generally-accepted algorithm for hashing passwords, but the truth is, new attacks emerge all the time, and the standard is going to be a constantly moving target.

The new PHP passwords API will abstract that away. All you’ll do is get a hash like this:

$hash = password_hash($password);

To verify a password, you can simply use:

if (password_verify($password, $hash)) { /* Yay */ } else { /* Uh oh */ }

Salts and algorithms will be taken care of behind the scenes. Should you ever need to re-hash the password, at a point where you have the plain-text password, the password_needs_rehash($hash) function will let you know:

if (password_needs_rehash($hash)) {
    $hash = password_hash($password);
    // update hash in database
}

If you don’t want to have the salts managed transparently for you, and want to set a higher computational cost on the hash algorithm than the default 10, you can specify them in the function options:

password_hash($password, PASSWORD_DEFAULT, array("cost" => 14, "salt" => $salt));

There’s a compatible PHP shim for coders who won’t be using PHP 5.5 for a while yet.

I’m pretty excited about these additions to the PHP APIs. I’m also looking forward to checking out Ratchet, a way to develop real-time applications using WebSockets in PHP – something that removes a long-standing hole in the PHP functionality stack.

Meanwhile, I’m still experimenting with more development-related posts. Again, please let me know if this was useful!