Introduction
The Facebook and Cambridge Analytica scandal, the US Democratic Party’s correspondence leak in 2016, Google’s data breach in 2018, and Yahoo Voice hacking in 2012 are just a few examples of major leaks recorded over the past few years.
Information on a global scale is now available to us like never before. If you do not take proper care, information about ourselves (including information of a confidential nature) may also be in the public domain.
It does not matter what kind of project you are developing: an open-source children's game or completing an order from a large enterprise. Your responsibility as a web developer is to provide security for all of your platforms. Security is a very difficult aspect.
The PHP language provides several tools and functions that you can use to ensure application security.
3 password security rules
User passwords should remain unknown to you.
I still remember my first steps as a PHP developer. The first application I created was a game where, together with my friends, I played the role of a skyscraper builder. Each of us could log in to our account, buy builders and send our team to a new construction site every week. I created basic accounts: I added a username and password for each user and sent them to them by e-mail. And only after a couple of months I realized how stupid it was.
The general rule is this: you should not only not know the passwords of your users - you should not be able to recognize them. This is a very serious aspect, which may even entail legal liability.
By trial and error, you still come to the conclusion that passwords do not need to be stored in plain text or in such a way that they can be easily decrypted.
Do not enter password restrictions
Let's play one game. Try to guess the password:
**********
Difficult, right? Let's try this:
P * r *** e ***
Now you know that there is a capital letter and a few capital letters. And if like this:
P * r *** e911
Now it will be much easier for you to guess the password - because you know that it includes an uppercase letter, uppercase letters and a number.
The same thing happens when you impose restrictions on users and masks for their passwords. If your application has a requirement to follow a specific pattern, you give intruders hints that they can use against you.
Requiring a certain minimum password length is normal, since the password length affects the time it takes to pick it up. However, instead, it will be much more useful to find out how algorithms and hashing work.
By the way, the correct answer to the riddle above is “Porsche911” :)
Never send passwords by e-mail in its purest form.
One of my first mistakes as a web developer was that I did not learn how to manage passwords in advance.
Imagine that you are a client and you hire a developer to create a nice e-commerce site for your business. This developer sent you an email that contains the password for your site. Now you know three things about your employee:
- He knows your password.
- It stores your password in its pure form, without using any encryption.
- He does not feel the slightest concern when sending passwords over the Internet.
In response, there is no choice but to dismiss such an employee.
Here's what a web developer should do:
- Create a page in your web application where the user will be able to enter his e-mail in case he has forgotten the password, and thus request a new password.
- Your application will generate unique access rights and bind it to the user who made the request (I personally use a universal individual identifier).
- The application will send the user an e-mail with a link leading to the access right.
As soon as the user follows the link, the application will confirm the correct access and allow the user to change the password.
See how the security of the app has grown with these simple steps? If desired, we can increase the level of security even more by adding a time limit between the request and setting a new password.
How to hash user passwords
Passwords in the web application must be hashed, not encrypted. Encryption is a two-way algorithm. The sequence is encrypted, which you can then decrypt and reuse. This method is often used in intelligence to obtain information from allies.
Hashing assumes that the sequence cannot be returned to plaintext. This is the ultimate goal of the whole process.
To achieve different goals, many algorithms have been developed: some are characterized by high speed, others are highly reliable. This technology is constantly evolving, and over the past few years has undergone many changes. Now we will consider the three most popular varieties of it in chronological order.
SHA-1
This was historically the first hash function. The acronym SHA-1 stands for “Safe Hashing Algorithm,” developed by the US National Security Agency.
SHA-1 was well known and widely used in PHP for creating a 20-byte hexadecimal string with a length of 40 characters.
The SSL industry has been using SHA-1 for digital signatures for several years. Then, after identifying some weaknesses, Google decided that it was time to switch to SHA-2.
The first version of the algorithm was deprecated in 2005. Subsequently, new versions were developed and adopted for use: SHA-2, SHA-2 and SHA-256.
Bcrypt
Bcrypt, not a result of the natural development of SHA, managed to attract a wide audience due to its level of security.
This extremely slow algorithm was created to create the most secure hashed sequences. In the process of hashing data, it goes through several cycles, which in computer technology is described by the indicator of labor costs. The higher the rate of labor, the more expensive it will be for a hacker to get a password.
There is good news: in the future we will be able to use more powerful machines capable of more rapid passage of more cycles.
Argon2
This is a new fashionable hashing algorithm developed by Alex Biryukov, Daniel Dinu and Dmitry Hovratovich from the University of Luxembourg. In 2015, he won the Password Hashing Contest.
Argon2 is presented in 3 versions:
- Argon2d accesses an array of memory, which reduces memory and time overhead. However, he has a risk of attack through third-party channels.
- Argon2i is the opposite of Argon 2d. It is optimized for attacks on third-party channels and gains access to memory in a password-independent manner.
- Argon2id is an intermediate version between two previous versions.
This function has 6 parameters: password sequence, salt, memory cost, time cost, parallelism factor (maximum allowed number of parallel threads), hash length.
In the second part of the article, I will tell you how to use this hashing in PHP using the built-in functions, and now I want to invite everyone to the free online web serveriner “ServerLess PHP”, in which we will get acquainted with the Serverless concept, talk about its implementation in AWS, applicability, prices. We will analyze the principles of assembly and launch, as well as build a simple TG-bot based on AWS Lambda.