PHP Now Supports Argon2 Next-Generation Password Hashing Algorithm

An anonymous reader quotes Bleeping Computer: PHP got a whole lot more secure this week with the release of the 7.2 branch, a version that improves and modernizes the language's support for cryptography and password hashing algorithms.

Of all changes, the most significant is, by far, the support for Argon2, a password hashing algorithm developed in the early 2010s. Back in 2015, Argon2 beat 23 other algorithms to win the Password Hashing Competition, and is now in the midst of becoming a universally recognized Internet standard at the Internet Engineering Task Force (IETF), the reward for winning the contest. The algorithm is currently considered to be superior to Bcrypt, today's most widely used password hashing function, in terms of both security and cost-effectiveness, and is also slated to become a favorite among cryptocurrencies, as it can also handle proof-of-work operations.

The other major change in PHP 7.2 was the removal of the old Mcrypt cryptographic library from the PHP core and the addition of Libsodium, a more modern alternative.

Great

[Hognoxious]

So now all we have to worry about with PHP is everything else.

Re:Great

[wimg]

Which is the same for Ruby, Python, Perl, .Net, Java, Go and every other language. If you don't know how to code, the language doesn't matter.
Perhaps a more constructive comment next time ?

Re:Oh, wow!

[guruevi]

Facebook, Laravel, Own/Nextcloud, Wikipedia, Wordpress, ... more than 80% of the web runs on PHP.

Re:Hashing

[DontBeAMoran]

Dude, that's way too much sodium!

Please

[eddeye]

Author knows nothing about security. Updated crypto algorithms / libraries have next to nothing to do with application security.

How many apps are hacked through outdated crypto algorithms? Now how many are hacked through unchecked user input, careless key/password handling, privilege escalation, default passwords, sensitive files left in open locations, and other programming errors?

There's a reason OpenBSD is one of (if not the) most secure operating systems. Code audits, careful input / output checking, sane error handling, etc. It has nothing to do with crypto algorithms.

Re:Please

[PhrostyMcByte]

Author knows nothing about security. Updated crypto algorithms / libraries have next to nothing to do with application security. How many apps are hacked through outdated crypto algorithms?

You've missed the point. This is a second line of defense intended to protect your users after your app has been hacked, when the attacker has dumped your database of password hashes. It helps to prevent them from using GPU-accelerated brute forcing to reverse user passwords that would then be plugged into other websites.

Re:Please

[93+Escort+Wagon]

Well... you have to remember the context. There was a time when php’s crypto was fundamentally broken, and its developers apparently debated whether they were going to fix it or not.

Php has had an abysmal security history - so these sorts of steps are important moves in the right direction.

Re:Oh, wow!

[OrangeTide]

Facebook, Laravel, Own/Nextcloud, Wikipedia, Wordpress, ... more than 80% of the web runs on PHP.

I've heard of maybe half of those, I didn't realize all of them were still around.

I remember letting people run php on my shell/web server some 15 years ago. And how quickly the default installation was hacked and webpages were defaced. For me it wasn't worth the effort necessary to set it up properly.

This is what makes PHP so powerful.

[Qbertino]

The PHP crew doesn't hesitate for a second to add in a feature that's useful. PHP gets the job done and that's why it's still holding it's ground even after each and every rails and node fad that comes along.