ZF-3402: Zend_Auth_Adapter_DbTable and unique salt per user
Hi i have notice that i can't use unique salt on every password in the db. To increase security i propose that this get built in to the framework.
Code example. $auth = Zend_Registry::get('auth'); $db = Zend_Registry::get('db'); $authAdapter = new Zend_Auth_Adapter_DbTable($db, 'users', 'username', 'passwd'); $authAdapter->setIdentity($_POST["user"]); $authAdapter->setCredential($_POST["passwd"]); //--- $authAdapter->setSecurety(Zend_Auth_Securety::Db_Salt_PasswordString); // Or some thing. //--- $result = $auth->authenticate($authAdapter);
Db string example 1: "md5:1ff73fddc94ef96b107787b28b5a5c931b3c761b:3ca6f61224c49d95323e9bf2fcfbf296" Db string example 2: "sha1:0038f5a895ba79c8cf8277c34d8f7a71df5b294e:fa5c0b2db734baed9f94f7031f726f574a7c3e6a" Db string sudu: HashAlgorithm : Salt : Hash ( Salt + Password )
To validate a password the framework whod have to:
Select user by username from users
Split the passwd string by ":" to get algorithm, salt and the salted password hach.
Hashalgorithm( salt + $_POST["passwd"] )
compare if step 3:s result is equal to step 2 "alted password hach".
This enables dynamic salt length and random algorithms. Depending on the set password function of your application the dynamic salt length and random algorithm feature are active or not.
Paranoid? In my db the salt values is off dynamic length 128 to 255 chars and random algorithms (md5, sha1, sha512 and whirlpool). and autouppdate on passwd string on successful login the password is re salted and same or new algorithm . And a user have 4 tries to login.