Is PHP's password_hash FIPS compliant?

63
September 08, 2018, at 11:20 PM

I believe hash('sha256', $pw) is FIPS compliant, but I know for certain that an attack vector is possible with using that function. Also, there is no salt (so I would have to encounter that implementation and I would rather not). Is password_hash/password_verify FIPS compliant?

Answer 1

No.

  1. FIPS 140-2 does not certify password hashing algorithms. As such, password_hash cannot be FIPS compliant, because FIPS simply doesn't apply to it.

  2. To the best of my knowledge, the hash implementations used by hash() (which are part of the PHP core) have not been FIPS certified. If you specifically need a FIPS-compliant implementation, and you have a FIPS-compliant OpenSSL library installed, you may be able to use openssl_digest() as an alternative. (However, remember that this is not a secure method of storing passwords, even with a salt!)

READ ALSO
Find the number of orders related to each order size in MySQL

Find the number of orders related to each order size in MySQL

Need some help with a MySQL query to be used in a larger databaseSimplified here, I need to find the number of orders related to each order size

118
Nested SELECT, or am I over-complicating?

Nested SELECT, or am I over-complicating?

I have the following tables:

67
Batch process a Queryset to avoid database connection timeout

Batch process a Queryset to avoid database connection timeout

I've got a process which imports data from a CSV file then processes the data to run various calculations & set values

108
How to find the nearest geohash in mysql?

How to find the nearest geohash in mysql?

Recently I'm using GeoHash to hash the paired geo-coordinates into a hash value and store it in MySQLNow I want to find the nearest hash given the other hash

134