Top 10 PHP Password Projects

• Password Compat

  1 2,156 0.0 PHP

  Compatibility with the password_* functions that ship with PHP 5.5

  Project mention: WordPlate: WordPress on Composer with sensible defaults | news.ycombinator.com | 2023-02-25

  > Same for WordPress.

  Not as much - WP favours backwards compatibility (or is it laziness?) even when doing so impacts security.

  Another problem is that the environments Wordpress targets are inherently vulnerable - while it's not WP's fault directly, they do nothing to warn people against using them nor outright stop supporting broken, insecure configurations.

  > There are multitudes of comments that specifically single out WP in the post's comment thread. Including this very thread that you are on.

  I was talking about publicized data breaches in general. But if we specifically talk about CMSes, I'm not sure anything else beats Wordpress and similar PHP-based CMSes of that era when it comes to not just the amount of vulnerabilities, but especially the nature of them - the same, dumb, basic problems resolved in every other language (including modern PHP with a framework such as Laravel) repeated over and over again.

  > WHERE is that objective study that compares WordPress with other software in regard to vulnerabilities

  Someone posted the following excerpt of the Wordpress codebase, which appears to be some custom attempt at simulating SQL query parameterization instead of using the actual, database-driver-provided function. If this is indeed the purpose of that function and it is indeed used, then I'm not sure there is any valid excuse for this in today's day and age.

  Someone else mentioned password hashing still relying on MD5 - if that is actually true, I'm not sure that is excusable either? I haven't done PHP for many years now, but surely even if the native functions aren't available, couldn't they use a "polyfill" such as https://github.com/ircmaxell/password_compat ?

  I'm sure there are many other issues but frankly the first one should be enough for any competent developer to run away.

  > No it doesnt. Dont make up falsities. PHP executes files how you configure it to.

  I was with you until this, but now I think you're arguing in bad faith.

  Yes, if you want to be pedantic, PHP and your web server execute files like how you configure them to. In practice, the environment where the vast majority of Wordpress sites are deployed (your typical shared hosting environment) will execute anything that ends with .php and is in the web root.

  This is inherently a legacy PHP problem (which WP encourages by supporting it) - no other language that I know of does this by default. If I accidentally store a malicious file in Python, Ruby, Node.js, etc applications, the worst that will happen is that I serve it back. At no point what so ever the server itself will execute that file.

  Yet in the PHP environments Wordpress targets, this is a massive issue which means every single feature handling file uploads (both in WP core and any plugins) should anticipate your server's misconfiguration (maybe it's not limited to .php files, but .html files too?) and try to protect against it, eventually failing and then you get yet another Wordpress vulnerability.

• hashtopolis

  2 1,174 7.3 PHP

  Hashtopolis - A Hashcat wrapper for distributed hashcracking

  

  Project mention: (Steel Battalion Line of Contact Official XDK Debug Build) Hey guys its RazorStoJ here. We are closer than ever to getting the debug build of Steel Battalion: Line of Contact, however we need your help! Please read below as we want the OG Xbox community to come together to help our Xbox game at SBO! | reddit.com/r/originalxbox | 2023-03-29

  Thank you for trying <3 Gonna check on the discord and see if we can point that 4090 of yours at something else. /u/BombBloke had the good idea to split up who works on what as we think the first letter is a capital https://www.reddit.com/r/steelbattaliononline/comments/124d8ja/comment/je6zbx5/?utm_source=share&utm_medium=web2x&context=3 So yeah I'll see if I can build a set of commands for this and the adjusted character set we are talking about there. The discord is also talking about using something like this to set up a pool server as well so we can actually work together https://github.com/hashtopolis/server Just gotta work out hosting.

• InfluxDB

  www.influxdata.com

  sponsored

  Access the most powerful time series database as a service. Ingest, store, & analyze all types of time series data in a fully-managed, purpose-built database. Keep data forever with low-cost storage and superior data compression.

  

• Zxcvbn PHP

  0 786 0.0 PHP

  Realistic PHP password strength estimate library based on Zxcvbn JS

• PHP Password Lib

  0 372 0.0 PHP

  A library for generating and validating passwords

• Password-Generator

  0 263 0.0 PHP

  PHP Library to generate random passwords

• password_exposed

  1 213 10.0 PHP

  🔒 Password Exposed Helper Function - Check if a password has been exposed in a data breach.

  Project mention: What We Do in the /etc./Shadow – Cryptography with Passwords | news.ycombinator.com | 2023-01-06

  > There's another end of all this that I also never see addressed in writeups like this one: lots of users are still really bad at passwords.

  Author here.

  I was originally planning to write a blog post about my experience reporting cryptography-related bugs to password managers in 2022. (I had findings for LastPass, 1Password, and Keeper.)

  My experience with LastPass was abysmal. I wrote a thread about it here: https://furry.engineer/@soatok/109560736140669727

  However, I found in my early draft that I spent a lot of time explaining these algorithms, so I decided to spin it off into a separate article. Thus, this post was conceived!

  > Readers capable of implementing something like OPAQUE will already have a pretty good handle on most of what's written here. All other developers will just grab whatever "the" off-the-shelf solution is for their language and tech stack, and any recommendations for those are conspicuously absent here. What are the best resources for the most popular tech stacks currently? PHP introduced the password_hash() function (and related functions) in its standard library a while back. It defaults to bcrypt, and most php devs should probably just use those functions, unless they're sure they know better.

  I tried to make the post a good balance of fun and informative, but the audience was "people who want to know more about cryptography with passwords" not specifically developers.

  As you indicated, if you're developing something, the password_hash() / password_verify() API your language provides is likely 1000x safer than rolling your own anything. If there is to be improvements in the cryptography for a given programming language, it should be an update to whatever the de facto standard library is for that language.

  PHP has the password extension built-in. Python has passlib. Node has the crypto module. Etc.

  > For a while, some misguided sites tried to prevent people from pasting passwords into their login forms. I have never seen the inverse: a site that prevents users from typing a password. Is there a reason that wouldn't work?

  I'm not confident in this, since it's 4:46 AM for me and I should probably be sleeping instead of reading HN comments, but isn't this exactly how Passkey is supposed to work?

  Anyway, thanks for your insightful feedback. I already planned a teardown into the reverse-engineered internals of popular password managers and my experiences with them. Because of your comment, I might also make a future blog post targeting developers.

  In the meantime, here's some cool stuff:

  https://github.com/dropbox/zxcvbn - A reasonable approach to password strength estimation (although I think their calculation needs updating in 2023)

  https://github.com/DivineOmega/password_exposed - Checks if a given password has been exposed in a previous breach (uses the HIBP hash database)

• passwords

  1 174 9.2 PHP

  A simple, yet feature rich password manager for Nextcloud (by marius-wieschollek)

  Project mention: Nextcloud Hub 3/25 Known App Incompatibilities | reddit.com/r/NextCloud | 2022-10-21

  Passwords: Clicking on the app does not give you your passwords listing. The sidebar populates properly but no passwords show up. Marius has stated that these are due to styling changes made in Nextcloud 25 and that he has nightly builds that fix it enough to get it working again, however not to expect a stable version with these fixes quite yet. The Chrome extension appears to continue working just fine. Keep track of what is going on here: https://github.com/marius-wieschollek/passwords/issues/534

• ONLYOFFICE

  www.onlyoffice.com

  sponsored

  ONLYOFFICE Docs — document collaboration in your environment. Powerful document editing and collaboration in your app or environment. Ultimate security, API and 30+ ready connectors, SaaS or on-premises

  

• Password Validator

  0 144 0.0 PHP

  Validates passwords against PHP's password_hash function using PASSWORD_DEFAULT. Will rehash when needed, and will upgrade legacy passwords with the Upgrade decorator.

• GenPhrase

  0 112 0.0 PHP

  GenPhrase is a secure passphrase generator for PHP applications.

• Password Policy

  0 74 0.0 PHP

  A password policy enforcer for PHP and JavaScript

PHP Passwords related posts

• WordPlate: WordPress on Composer with sensible defaults
  9 projects | news.ycombinator.com | 25 Feb 2023
• Show HN: Doppler Share – Share one-off secrets with end-to-end encryption
  2 projects | news.ycombinator.com | 26 Feb 2021

Index

Sponsored

TestGPT | Generating meaningful tests for busy devs

Get non-trivial tests (and trivial, too!) suggested right inside your IDE, so you can code smart, create more value, and stay confident when you push.

codium.ai

Do not miss the trending PHP projects with our weekly report!