After the recent discovery of a plugin vulnerability, I’ve been busy looking for ways to button up all areas of public-facing applications for my employer. The first thing I checked was authentication procedures, and was able to improve the way we store password hashes.
The current functionality available within PHP left me feeling less than confident with simply calling crypt() with a salt. I added an algorithm to ‘enhance’ this, but thought that such measures should be built in. And then I find that’s exactly what’s on the way with PHP 5.5 in the form of a password hashing API.
Now the question is when we’ll get it. November 15 marked the release of PHP 5.5.0 alpha 1, so it may be awhile.