1

I'm currently looking for a way to encrypt my users passwords, and rather than simply using crypt(), I've settled on utilizing Phpass 0.3 after reading this stackoverflow answer. However when you visit the Phpass home page, it also has the option for downloading a signature. There are two different signatures available, and it seems that you can create your own if you wanted to.

1] What is the purpose of signatures, and how do they work?

2] Are they necessary for using Phpass, or are they just an extra layer of security?

Community
  • 1
  • 1
Mastrianni
  • 3,900
  • 3
  • 20
  • 32

1 Answers1

1

The signature is there to verify the download. It is explained here how to use them.

Think about it, you're downloading a piece of software which you will use in a security sensitive, critical function in your software. Who can guarantee that what you're downloading and happily executing on your server doesn't contain some malicious backdoor? Only your trust in the author can.

The author has digitally signed his downloadable code and offers a public signature that you can verify against. The idea is that you download the code, get the signature, and verify that both match. This helps to protect against an attacker compromising your download and inserting malicious code into it while you download it, or against someone having compromised the server and replaced the code with malicious code.

Note though that the author himself states that should the server have been compromised, the signature could have been too.

Note: I'd recommend PHP's password_hash instead of the age old Phpass library these days.

deceze
  • 510,633
  • 85
  • 743
  • 889