[RFC] Password hashing in own class

These RFCs were either rejected or have been replaced by an alternative proposal. They will not be included in phpBB.
Post Reply
Jhonne
Registered User
Posts: 2
Joined: Mon Sep 24, 2012 9:32 am

[RFC] Password hashing in own class

Post by Jhonne »

Replaced by [RFC]More secure password hashing


phpbb_hash and related functions is found in functions.php which is included on all pages. Yet password hashing is only needed for a few pages mainly those involving authentication and registration.

Feature: Put all functions from the PHP password hashing framework in an own class and use it only when needed.

Goal: Encapsulation and to remove some functions from functions.php which is not really needed there.

User avatar
AmigoJack
Registered User
Posts: 110
Joined: Wed May 04, 2011 7:47 pm
Location: グリーン ヒル ゾーン
Contact:

Re: [RFC] Password hashing in own class

Post by AmigoJack »

+1 for the idea.
-1 for the RFC in general.

Too similar to [RFC] Auth Plugin Refactoring & User Integration.

User avatar
Pony99CA
Registered User
Posts: 986
Joined: Sun Feb 08, 2009 2:35 am
Location: Hollister, CA
Contact:

Re: [RFC] Password hashing in own class

Post by Pony99CA »

If the function is only used on a few pages (included in a few files), it makes some sense to remove it from a huge include file and put it in its own include file. I don't think this is about "refactoring and user integration" as much as making the include files a bit more reasonable.

I suppose it depends on performance issues, though -- will removing it save significant RAM for those files that don't need it, and will an extra include cause significant slow-downs for files that do use it? if the answers are YES and NO (or even NO and NO), why not do it?

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

User avatar
AmigoJack
Registered User
Posts: 110
Joined: Wed May 04, 2011 7:47 pm
Location: グリーン ヒル ゾーン
Contact:

Re: [RFC] Password hashing in own class

Post by AmigoJack »

It's too similar because password checking (and hence hashing) should become a part of the authentication plugin anyway. Currently it's hardcoded to the phpBB core and custom auth plugins can't reach/realize everything they should. In a perfect world all of the default authentication stuff resides is a plugin instead of being bound to the core - which also makes sure custom plugins can really serve/support all needed functionality. For example: currently a custom plugin can't catch the event of changing a password.

The overall performance increase should be minimal to zero, as right now most hosters already use caches like eAccelerator which keep nearly all PHP files in memory anyway, so moving functions based on their usage is virtually only an optimization to the concept/design. Though, I might be wrong

User avatar
nickvergessen
Former Team Member
Posts: 733
Joined: Sun Oct 07, 2007 11:54 am
Location: Stuttgart, Germany
Contact:

Re: [RFC] Password hashing in own class

Post by nickvergessen »

Well this one can be done easily, while auth refactor is quite time intensive. Also if auth is refactored, the functions still should be available in general, f.e. they are used for forum passwords and maybe modifications aswell.
Member of the Development-TeamNo Support via PM

Oleg
Posts: 1150
Joined: Tue Feb 23, 2010 2:38 am
Contact:

Re: [RFC] Password hashing in own class

Post by Oleg »

Jhonne wrote:phpbb_hash and related functions is found in functions.php which is included on all pages. Yet password hashing is only needed for a few pages mainly those involving authentication and registration.
If the goal is to take hashing out of functions.php for the sake of improving phpbb's performance, this is a pointless undertaking.

If the goal is to include a smaller file in third-party applications that need to authenticate against phpbb, the difference will be obvious and if this change does not conflict with outstanding auth refactoring pr(s) I would support it.

If it does conflict, I don't think it's worth complicating the auth refactoring pr(s) for this optimization.

User avatar
bantu
3.0 Release Manager
3.0 Release Manager
Posts: 557
Joined: Thu Sep 07, 2006 11:22 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC] Password hashing in own class

Post by bantu »

I think this should be combined with upgrading password hashing to bcrypt. As such, I'd reject the RFC as is.

User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Berlin, Germany
Contact:

Re: [RFC] Password hashing in own class

Post by naderman »

We are replacing password hashing with a patch based on the proposal [RFC]More secure password hashing, which also refactors the related code, so I'm moving this one to rejected RFCs.

Post Reply