4

Looking at How can I store my users' passwords safely?, the best way to encrypt passwords is using phpass. I want to use PEAR Auth package for authentication, but PEAR only supports md5, sha1, sha256, sha512 and PEAR doesn't add a salt to the hash.

PEAR Auth also doesn't support many of the features that are listed in How should I choose an authentication library for CodeIgniter?

  • reCAPTCHA supported
  • Activation emails
  • Unactivated accounts auto-expire
  • Uses phpass for hashing (and also hashes autologin codes in the DB)
  • Very reasonable security model around failed login attempts (good protection against bots and DoS attacks)
  • "Remember me" functionality

My question is: is PEAR Auth really a viable choice? It seems to use it, I will have to write all the missing features myself. Is there a better, more feature-rich Auth library that is not wrapped inside a framework? I just want basic, secure authentication for my simple web app.

Community
  • 1
  • 1
bperdue
  • 474
  • 1
  • 6
  • 18
  • 1
    I know this doesn't answer your question, however sha256 and sha512 are good for hashing if you are using rounds and a random salt. I suggest you look into [crypt](http://php.net/crypt). I'm not sure if PEAR Auth supports it, but if it does, you can use that instead of another library. – Mike Aug 08 '11 at 19:06
  • As @mike suggested, sha could work. PEAR is a viable auth library, it just isn't as feature rich as I think most basic web apps need; i.e., it is missing these features: lost password, remember me, activation emails. – bperdue Aug 10 '11 at 04:18
  • You may want to take a look at https://github.com/delight-im/PHP-Auth which is both framework-agnostic and database-agnostic. – caw Oct 21 '16 at 21:51

1 Answers1

0

If its only about the password hashing, I'd recommend using bcrypt. How you can use it in PHP is already a topic of a discussion.

Community
  • 1
  • 1
Sandro
  • 2,998
  • 2
  • 25
  • 51
  • It's partly the hashing, partly the missing features. Perhaps the best solution is to use Tank Auth (recommend here: http://stackoverflow.com/questions/346980/what-codeigniter-authentication-library-is-best/476902#476902) but rewrite it to work without CodeIgniter. – bperdue Aug 08 '11 at 19:21