Hardened stateless session cookies
May 16th, 2008 at 12:40 UTC by Steven J. Murdoch
The root cause behind the last-but-one Wordpress cookie debacle was that the authors invented their own password hashing and cookie generation scheme. This is generally a bad idea, since it's hard even for experts to get these right. Instead, whenever possible, a well-studied proposal should be chosen. It is for this reason that I suggested the phpass library for password hashing, and the Fu et al. stateless session cookie proposal.
Portable PHP password hashing framework
Please note that password hashing is often wrongly referred to as "password encryption". Hashing is a more appropriate term since encryption is something that is supposed to be easily reversible.
This is a portable public domain password hashing framework for use in PHP applications. It is meant to work with PHP 3 and above, and it has actually been tested with at least PHP 3.0.18, 4.3.x, 4.4.x, 5.0.x, 5.1.x, and 5.2.x so far.
Openwall Project
bringing security into open environments
Software you can find here:
- Openwall GNU/*/Linux (Owl), a security-enhanced GNU/*/Linux-based server platform
(order it on a CD with delivery worldwide)
- John the Ripper password cracker for Unix, Win32, ...
(and wordlists for use with it, available for purchase on a CD with USPS postage or UPS delivery) - Modern password hashing for your software and your servers
- Pluggable password strength checking for your servers
(and more PAM modules) - tcb suite implementing the alternative password shadowing scheme
- Portable PHP password hashing framework for your PHP applications
- scanlogd, a ("stealth") TCP port scan detection tool
- popa3d, a tiny POP3 daemon designed with security in mind
- msulogin, a better single user mode login program
- Linux kernel patches that add a number of security features
- BIND 4.9.x patches that add security features and bug fixes
No comments:
Post a Comment