stella-maris/nist-password 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

stella-maris/nist-password

Composer 安装命令:

composer require stella-maris/nist-password

包简介

Handle password according to the NIST

README 文档

README

A library to use passwords in an NIST-compliant way.

This library implements all relevant points mentioned in section 3.1.1 of the NIST Special Publication 800-63B v4

codecov

Why?

The NIST advises national bodies of the US in digital questions. One of them is Authentication and authorization. So in essence the NIST advises national bodies like the NSA regarding (amongst other things) what makes a safe password and what makes a safe authentication mechanism.

This library converts those written rules into a library that you can use within your code. But the code is not everything as the NIST recommendations also need to be applied to your processes. More in the Chapter on Processes.

How?

Require the library via composer

$ composer require stella-maris/nist-password

Now you can use the following code to verify whether a password is compliant with the NIST rules like this:

use StellaMaris\NistPassword\Validate;
use StellaMaris\Password\Filters\FilterListFactory;
use StellaMaris\Password\Validate\ValidatorListFactory;

$validator = new Validate(
    ValidatorListFactory::create(),
	FilterListFactory::create(),
);
$feedback = $validator->validate($password);
if (! $feedback->isValid()) {
	var_Dump($feedback->getViolations());
}

The getViolations()-method will return a list of Violation-objects that can then be queried for further informations.

Once you have verified that a new password is valid, you can get the password-hash for storage from the validator like this:

$password = $feedback->getPassword();

echo $password;

The password is stored within an object that is pretty safe against accidentally leaking the cleartext password.

For that the Password-object stores the cleartext-password in a symterically encrypted way using a predefined salt and a password that is discarded at the end of the scripts runtime. Casting the object to string will only reveal the hashes password. The password hash is created using PHPs password-hasing library.

Should you - for whatever reason - need the password again in cleartext you can get access to it via the yesIDoNeedThePasswordInCleartextAndIKnowOfTheImplicationsThatMightHave()-method. Be warned that the return value of this method will again expose the cleartext-password! You should use it as fast as possible and destroy the variable immediately afterwards like so:

$password = $feedback->getPassword();

// No intermediary variable!
ldap_bind($ldap_connection, $user, $password->yesIDoNeedThePasswordInCleartextAndIKnowOfTheImplicationsThatMightHave());

// immediately unset the variable after usage!
$pass = $password->yesIDoNeedThePasswordInCleartextAndIKnowOfTheImplicationsThatMightHave();
ldap_bind($ldap_connection, $user, $pass);
unset($pass);

To do an actual authentication you can then use this process:

use StellaMaris\NistPasword\Authenticator;

$authenticator = new Authenticator();
$result = $authenticator->authenticate($password, $hashFromDatabase);
if (! $result->isValid()) {
	echo "The login credentials are invalid"
}

if ($result->isRehashed()) {
	// The existing credentials are not considered strong enough any more so the
	// password has been rehasehd with a stronger algorithm and now needs to be
	// persisted again
	$pdo->query(`UPDATE users SET password=:password WHERE user = :user`, [
		'password' => $result->getHash(),
		'user' => $user,
	]);
}

if ($needsNewPassword) {
    // The whole password set has been compromized so the users have to create a new
    // password at login.
    // You should implement this logic right from the start, hoping that you will never need it
    // Make sure that you can somehow verify that a user is actually the user they claim to be
    // by using some verification mechanism (like sending an email to their registered address)
    // Think about that the emails might have been compromized. Make sure that you detect
    // unwanted tampering with that data!
    // Do NOT - I repeat: NOT! - use "security questions". Those are considered bad practice
    //
    // NIST special publication has this to say on the topic:
    // Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication
    // (KBA) (e.g., “What was the name of your first pet?”) or security questions when
    // choosing passwords.
}

Should you need to come up with a new Password for a user, you can create one like this:

use StellaMaris\NistPassword\PasswordCreator;

$password = (new PasswordCreator())->create();

echo sprintf(
    "The password for %s is %s",
    $user,
    $password->yesIDoNeedThePasswordInCleartextAndIKnowOfTheImplicationsThatMightHave()
);

$pdo->query(`UPDATE users SET password=:password WHERE user = :user`, [
		'password' => (string) $password->hash(),
		'user' => $user,
	]);

Processes

You might need to adapt your processes to be NIST-compliant!

General Requirements

Depending on the Authenticator Assurance Level you will need other factors besides the here mentioned Password. Check the documentation for your requirements.

This package only takes care of the Password!

Password-Recovery

You should not use security questions to regain access to a locked account!

stella-maris/nist-password 适用场景与选型建议

stella-maris/nist-password 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 0 次下载、GitHub Stars 达 2, 最近一次更新时间为 2021 年 12 月 03 日, 在 PHP 生态内属于活跃度较高的组件。

我们在过去多个企业项目中使用过 stella-maris/nist-password 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 stella-maris/nist-password 我们能提供哪些服务?
定制开发 / 二次开发

基于 stella-maris/nist-password 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 0
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 2
  • 点击次数: 4
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 2
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: BSD-3-Clause
  • 更新时间: 2021-12-03