In working on my project I've been trying to decide between using Fuel's Auth package or rolling my own modified version with per-user salted hashes. This way user's with identical passwords will have differing hashes and also it would further complicate brute force attacks as each hash differed. Ideally I'd like to user the Auth package but I'd like to be strong on security and protecting users in any (hopefully never-seen) data breach. Am I worrying too much about this? I've read many people say it's best practice so I'd rather be cautious in deciding on this. Thanks for any input...
Per-user salts will make an attack using rainbow tables more difficult. But for that attack they will need to have your user table, containing the password hashes. If they have the table, they will have the per-user-salt values too, as they are stored in the same place.
To get the Auth salt, they also need to have access to your code to get to the config files.
FuelPHP uses PBKDF2 to hash passwords, with by default 10.000 iterations. This is a slow and complex algorithm, so it will take a very long time (compared to simple MD5/SHA1/SHA256 hashing) to produce a rainbow table.
So unless you're building applications that have a very high chance of being targeted, I would not worry too much.
And if you do, I would not use a local authentication system for applications like that. We build a lot of applications for government use, and they don't store any data at all in the (internet exposed) frontend, apart from some caching. Instead, the frontend does REST calls to the backend inside the datacenter, which is highly secured.
The REST API will limit the accessabliity of data (for example, there is no API call to get all user data, the API call to get individual user info only returns a subset of the fields, etc).
Donate
