Re: PHP: issues managing the password, what is wrong?

[Zdenek Styblik <stybla@turnovfree.net>]

Jonathan Clarke wrote:
> On 30/09/2009 07:43, Zdenek Styblik wrote:
> ...
>>
>> I believe this is broken, or obsolete. I'm using Perl port of Unix
>> crypt() function, and it works just fine for "any" password lengths.
>> 8 characters limitation sounds like - history :)
> 
> Actually crypt() is system-dependant. Different *nixes implement it
> differently. Many implementations accept passwords of any length, but
> only use the first 8 characters to create the hash. As a result, using
> crypt passwords is insecure and un-portable.
> 
> So, yes, it sounds like history, but that's crypt for you :)
> 
> Regards,
> Jonathan

Errr ... well, it seems so.
I think I've hit the wall with eg. sshd x nss-switch when having
passwords crypted by anything else than crypt();
Also, using SSHA might be a bit of overkill (I'm not defending crypt()! :))
So, what's left? Or more, what's the suggestion - which crypt function
to use? Having passwords in MD5/SHA is just - it doesn't sound too much
secure (neither is crypt()), even if those are portable.
I'd say it depends on the type of leak of credentials - if database is
stolen, or password is sniffed through eg. http [web app] - in the first
case, hashed passwords will buy time; the second - it doesn't matter,
how's the password stored in LDAP - right?

Probably a bit off-topic.

Regards,
Zdenek

-- 
Zdenek Styblik
Net/Linux admin
OS TurnovFree.net
email: stybla@turnovfree.net
jabber: stybla@jabber.turnovfree.net