Any web developer writing PHP applications is eventually going to have to store user passwords. Most developers have at least learned that storing a password in plain-text isn’t secure, but for many of us, we still use insecure methods.
The problem is, that if our web application is ever hacked, insecure password hashing algorithms will make it simple, easy and quick for attackers to break our passwords.
Last week, I received an email from someone who told me how the Suhosin patch had created problems for their team, and suggested that I write about it here. I thought this was a great idea, for a number of reasons. Particularly, Suhosin is one of those PHP patches that alters the way PHP operates in a fundamental fashion, yet also is installed by default in many places (for example, Ubuntu compiles this patch in by default on their installation).
For starters, what is Suhosin? Suhosin is a PHP patch that “hardens” PHP’s security features. The makers of Suhosin describe it in this way: