|Classes of Scott Arciszewski
|PHP Password Lock
MIT Licensed - feel free to use to enhance the security of any of your PHP projects
Depends on defuse/php-encryption for authenticated symmetric-key encryption.
How is this different than "peppering"?
Peppering strategies are usually accomplished through a keyed hash function (e.g. HMAC-SHA256) and applies to the password before it's passed to the salted hash API (i.e. bcrypt). If your pepper/HMAC key is ever compromised, you have to reset every user's password and it becomes a headache.
A hash then encrypt strategy offers agility; if your secret key is compromised (but, miraculously, the hashes are not), you can decrypt all of your users' hashes then re-encrypt them with a new key and they'll never suffer the inconvenience of an unscheduled password reset.
How much more secure is this than just using bcrypt?
Here's a proof-of-concept for the first two points.
But realistically, this library is only about as a secure as bcrypt.
Hash Password, Encrypt Hash, Authenticate Ciphertext
Verify MAC, Decrypt Ciphertext, Verify Password
Re-encrypt a hash with a different encryption key
Migrate from Version 1 of the library
If your company uses this library in their products or services, you may be interested in purchasing a support contract from Paragon Initiative Enterprises.