The PHP podcast where everyone chimes in.

Originally aired on

October 25th, 2016

054: Security: Encryption, Hashing and PHP

We chat about security in the the PHP community, encryption & hashing in PHP and a new-hotness crypto library called libsodium.


Security: Encryption, Hashing and PHP Show Summary

PSR-9 and PSR-10

  • PSR-9 deals with the process by which security issues are submitted or reported to project maintainers.
  • PSR-10 describes a machine-readable format for disclosing security issues to users.
  • Roave/SecurityAdvisories Prevents the installation of packages with known security vulnerabilities.
  • FriendsOfPHP/security-advisories provides tools for identifying dependencies with known security issues.


  • Encryption when you need decryption. Hash when you don't (e.g: passwords)
  • Encryption provides confidentiality, AEAD aims to go further.
  • Message authentication/integrity checksum is usually a hashing problem, rather than encryption.
  • Scott discusses some encryption pitfalls and how a simple operation like == can become very complex to implement securely without becoming vulnerable to side-channel attacks. Encryption is hard - don't roll your own. Leave it to the specialists.
  • RFC: OpenSSL AEAD support
  • Always hash passwords with a slow hash function like bcrypt, scrypt or argon2 in libsodium. Fast hash functions like sha-2 are more vulnerable to brute-force attacks.
  • hash_pbkdf2() can be used to slow down your hash process to guard against brute-force by creating a bottleneck for an attacker. Don't DDOS your own server though: Use rate-limiting to avoid creating a DDOS vector.

How do we upgrade the password hashing in legacy apps (e.g: md5)?

  • Don't do a mass mailing and require a password reset from everyone: This implies a breach has taken place.
  • Phased update - upgrade your user base gradually:
    • Re-hash passwords using a new algorithm in the background each time a user logs in. Mark the user as re-hashed each time.
    • As users log in, force a password reset.
  • bcrypt all the md5 hashes and make your hashing algorithm bcrypt(md5($password))

Password Managers

  • Make it easy for users to use password managers on your site
  • Don't disable copy & paste on password fields
  • Name password fields obviously


  • libsodium is a C library implementing best-in-class cryptographic and hashing algorithms
  • Safe from side-channel and cache-timing attacks
  • There are plans to move to libsodium implementations of built-in crypto function in PHP >= 7.2
  • mcrypt is deprecated in PHP 7.1

Sammy Kaye wraps up with

Developer Shout-Out

Thank you, Brian Retterer for your security contributions to the community. A $50 Amazon gift card from Laracasts is on its way to you.

Shout-out sponsored by Laracasts


It's like Netflix for developers.


Scott Arciszewski

Chris Riley

Chris Cornutt

Show Notes Credit

Chris Shaw

Thank you Chris Shaw for authoring the show notes for this episode!

If you'd like to contribute show notes and totally get credit for it, check out the show-notes repo!