The other day, I was directed at an interesting question on StackOverflow asking if password_verify() was safe against DoS attacks using extremely long passwords. Many hashing algorithms depend on the amount of data fed into them, which affects their runtime. This can lead to a DoS attack where an attacker can provide an exceedingly long password and tie up computer resources. It’s a really good question to ask of Bcrypt (and password_hash). As you may know, Bcrypt is limited to 72 character passwords. So on the surface it looks like it shouldn’t be vulnerable. But I chose to dig in further to be sure. What I found surprised me.

As many of you likely know, I have a “thing” for password storage. I don’t know what it is about it, but it fascinates me. So I try to keep up as best as I can on the latest trends. In the past few years, we’ve seen the rise of a new algorithm called scrypt (it’s 5 years old actually). It’s gaining more and more adoption. But I don’t recommend its use in production systems for password storage. Let me explain why:

Last week at the BlackHat security conference, a new attack on SSL secured content was unveiled. This attack is called BREACH, and has been generating a lot of buz on the internet. Tech blogs have been plastering their sites with articles about how there’s no fix, and how you can try to defend against BREACH. Well respected security people have been writing about it.

And I’m here to say don’t worry about it.

It’s been a little while since I’ve posted anything here or on YouTube. I’ve been working on some interesting ideas that hopefully will be pretty decent, so it wasn’t time wasted. But I figured now would be a good time to tell you about some upcoming speaking engagements that I have, and where I’ll be over the next few months. So with no further adue:

There are numerous articles on the web about how to properly use bcrypt in PHP. So this time, rather than write yet-another-how-to-use-bcrypt article, I’m going to focus on the mistakes that are commonly made when implementing bcrypt. So, let’s dive right in:

Encryption can be a complex beast of mathematical operations. In this video, we explore the evolution of modern cryptography and some of the basic underlying principles that it uses to keep data secure.

This morning, I gave a talk at TrueNorth PHP. The talk was aimed at explaining the basics of Cryptography as needed for the average developer. It is intended to give a high level understanding of cryptography and cryptographic techniques. So, with no further adue, here’s the slides: