When it comes to security, no amounts of additional layers of security can be redundant. Even though the passwords for Phosphorus Five is already ridiculously secure, due to being PGP encrypted in a file outside of the file system accessible for the system, it doesn’t hurt to implement “slow hashing” – Even though I don’t trust it alone. Simply since it’s first of all a moving target, implying you’ll constantly have to add more workload for your own server to be secure. Secondly because when your server and your adversary’s server are 15 orders of magnitude apart in processing power, making sure your hashing algorithm is secure if it’s only based upon “slow hashing”, simply due to the nature of math, would require so much time to execute locally on your server, that it would require minutes for your users to simply be able to log in.
Regardless, I have now added Blowfish and bcrypt “slow hashing” storage of passwords in the upcoming release of Phosphorus Five. The amount of workload required to hash your passwords are set to 10 by default, but can easily be modified in your web.config. In addition each user now has his own unique salt which is used during hashing, which of course further eliminates an adversary’s ability to crack your passwords, since even two similar passwords in your password file, will still be hashed differently, due to having different salts.
In addition I have included parts of the client’s fingerprint when creating a persistent cookie on disc, if the user chooses to “Remember me” on a specific client. This further reduces the potential for credential “cookie theft”, where an adversary can pick your your cookie somehow, and use it to gain access to the system. It does however invalidate your persistent cookie if you upgrade your browser, but I think this is a small price to pay for the additional security it creates. Needless to say, but this also implies that the persistent credential cookie sent back to the client, is also not the same as the hashed password stored in your authentication file. Since the credential “ticket” sent to the client is hashed, from the Blowfish hashing result, and before it’s hashed it adds the client’s fingerprint (UserAgent and supported languages), and since it’s hashed using SHA256, which has an entropy of 2 to the power of 256, which equals 1.15e+77, which is almost the same number as the number of elementary particles in the observable universe – This makes it as far as I can see redundant to use “slow hashing” on cookie verification, and hence only when the user explicitly needs to log in, there will be a roughly 1-2 second delay while logging in, to perform the slow hashing.
Check out the code here. Using bcrypt was surprisingly easy I must confess. Literally two lines of code after having added the bcrypt package. Really nice work by the developers of bcrypt I must confess 🙂
This means that in the upcoming release, at least when it comes to authentication, Phosphorus Five literally has the same amount of security features that heavy duty things such as Linux and FreeBSD has …
… in fact, arguably better. But don’t tell Linus that … 😉