Intro + possible contribution/deliverable?

[Ryan Chouinard]

Hi all! I wanted to introduce myself, and hopefully find ways to make myself useful to a group like this.

My name is Ryan Chouinard, and I work at Oracle Corporation in the MySQL group as a member of the DevOps team responsible for MySQL.com. I am also a member of OWASP, and actively speak on PHP/Webdev security matters at my local PHPUG.

I wanted to throw in my own contribution in this area, and hopefully get some feedback. A while back I started to port Openwall's PasswordHash class to PHP5, and then to 5.3+ with namespaces. Of course, over the course of the work it took on a life of its own, and now it's much closer to a PHP port of Python's PassLib than of the PasswordHash library. I started with the name PHPass (when I created the repo I stupidly failed to realize Openwall called their library PHPass, and not PasswordHash as the class was named), but I'm moving into the PHPassLib name in the newer versions. Although, it seems I may as well call it YAPL (Yet Another Password Library). Hopefully I can find a way to set mine apart. :-)

Anyway, I'm hoping to make password hashing as simple as possible with this library, with the goal of giving developers no excuse to improperly store passwords. The new version uses a static interface - mainly because I got a lot of feedback from users complaining that it made no sense to instantiate an object for this. So, an example usage currently looks like this:

    <?php

    use PHPassLib\Hash\BCrypt;

    // Defaults to $ident => 2a, $rounds => 12, $salt => auto

    $hash = BCrypt::hash($password);

    if (BCrypt::verify($password, $hash)) {

        // Success!

    }

I tried to make the library both powerful and easy to use. It's very flexible, and supports persistence and hash migration through a context object. Latest WIP can be found here: https://github.com/rchouinard/phpass/tree/3.x 

Please let me know your thoughts on my work! I would be more than happy to contribute this project to the group if desired. I've been thinking about turning it into an OWASP project, but I think the PHP Security Technical Group may be a better (at least more specific) fit.

[Evert Pot]

> but I'm moving into the PHPassLib name in the newer versions.

Do note that at least a bunch of people (me included) seem to initially read this as PHP ass lib, which may, or may not be what you're going for..

Welcome!
Evert

[Ryan Chouinard]

Yes, I hear that from time to time :-)

If that's the only issue people have, I'll be happy!