Add support for PBKDF2 to hashing
An implementation is already pending for FLOW3 (see #26786, https://review.typo3.org/#change,2332)
which is planned to replace MD5 (current default). It would be great to have this available for passwords (FE/BE) and stdWrap.hash (see #28095).
I'm not yet sure how it would fit within current sysext "saltedpasswords" though.
[FEATURE] Add PBKDF2 based password storage to EXT:saltedpasswords
Implement the PBKDF2 password hashing for EXT:saltedpasswords. PBKDF2 is
the NIST recommended way to store passwords in a FIPS compliant way.
The storage format is identical with passlib from Python to enable some
portability as there's no official storage format yet.
The choice of iteration count has been set to a value that matches the
performance characteristics of the Blowfish/Bcrypt hashing.
Reviewed-by: Georg Ringer <email@example.com>
Tested-by: Georg Ringer <firstname.lastname@example.org>
Reviewed-by: Markus Klein <email@example.com>
Tested-by: Markus Klein <firstname.lastname@example.org>
#3 Updated by Marcus Krause over 4 years ago
I started with this feature in March 2013 - see https://twitter.com/t3sec/status/313413250693881858
Let's see if I can find this code somewhere here. :))
#6 Updated by Morton Jonuschat almost 4 years ago
After looking into this adding it to stdWrap.hash seems counterintuitive. PBKDF2 is a key derivation function and not a typical hashing function. I'd reason that this is why PHP 5.5 offers a native implementation but it's not within hash_algos(). Due to this the patch I've submitted only takes care of EXT:saltedpasswords.