Harden the password hashing


Dec '14

Aug '15

1

1451

3


Ole
2.4k

The default Phalcon uses the $2a$ salt prefix which has proven to have a weakness. This code will set the default prefix to $2y$ which is currently the recommended one. It also increases the work factor from 08 to 13.

$di->set('security', function() {
    $security = new Phalcon\Security();
    $security->setWorkFactor(13);
    $security->setDefaultHash(Phalcon\Security::CRYPT_BLOWFISH_Y);
    return $security;
});

For more detail, navigate to http://php.net/crypt and read the section about CRYPT_BLOWFISH


al35mm
62
edited Aug '15
Aug '15

If I var_dump(\Phalcon\Security::CRYPT_BLOWFISH_Y);exit; it returns int(6). What's that all about?

Edit: Oh ok this seems to be reffering to the key. E.g. CRYPTDEFAULT = 0, CRYPTMD5 = 3 etc. So presumably one could also do $security->setDefaultHash(6); to set it to $2a$?