Store the password in hashed form.

[Zegnat]

Several server implementations have been updated to allow for the password to be stored as a bcrypt hash. The PHP implementation supporting bcrypt will bring the minimal PHP version required up to 5.3.7.

While 5.3 (and 5.4) versions are no longer officially supported they are used in abundance. Over 40% of WordPress installations are on PHP 5.2 or 5.3 and according to W3Techs’ PHP statistics ~52% of all PHP servers use a version older than PHP 5.4. That is a huge part of the market that will be excluded, for a piece of open-source software that is relatively easy.

An alternative might be PBKDF2, which is the NIST recommended way of storing passwords. hash_pbkdf2 only came natively to PHP 5.5.0, but several pure-PHP implementations exist.

We could use the BSD licensed defuse/password-hashing for secure password storage without giving up on old PHP versions.

[jkufner]

See:

• http://php.net/manual/en/function.password-hash.php
• http://php.net/manual/en/function.password-verify.php

[Zegnat]

Like hash_pbkdf2, both password_hash and password_verify were introduced in PHP 5.5. If I want to keep compatibility with 5.2/5.3 those are a no-go.

Even with password_compat it would bring the require PHP version up to 5.3.7. Because it relies on the same bcrypt implementation I was alluding to when I created this issue.

[jkufner]

PHP 5.5 was released in 2013. That was 3 years ago. Even current stable Debian has PHP 5.6.

[Zegnat]

PHP 5.5 was released in 2013. That was 3 years ago. Even current stable Debian has PHP 5.6.

I know, but even in the half year since I opened this issue very little has changed regarding PHP installation statistics. Currently the only officially supported versions of PHP are 5.6 and 7.0. The exact statistics as of today (2016-08-10):

• WordPress shows 27.6% of installations on 5.2 and 5.3, and a total of 76.5% of installations on PHP versions below 5.6.

• W3Techs shows 37.3% of servers running 5.2 and 5.3, and a total of 85.3% of servers running PHP versions below 5.6.

  (Percentages normalised against all servers running PHP, rather than all servers scanned. Disregard rounding errors caused by ignoring servers on 5.0 and 3.)

In fact, of all PHP 5 versions running on servers found by W3Techs, PHP version 5.3 (27.8%) is still the leading one. 5.4 (27.3%) is slightly behind, with 5.5 (20.0%) coming quite a few percentage points after.

WordPress for one supports PHP 5.2.4+. This means they need to consider fallbacks at every point, cannot use things like namespaces, and include (a modified) phpass for hashing.

I envisioned this repository as being the absolute minimum and simplest PHP implementation of the PhotoBackup server specification. Possibly a reference implementation for others to look at. Nothing more. In line with this, I would love not bumping the version requirements.

Maybe I need to reconsider my aim with this repository.

[jkufner]

Ok, according to graphs you posted the reasonable minimal version is 5.3, cutting away about 10% of users. However, I would feel fine requiring lowest supported version (5.6).

I would expect this repository to be a reference implementation without unneccessary dependencies (external libraries). It does not have to be the simplest possible --- a little of complexity may be useful to allow integration to another projects or to allow authentication against custom services (like IMAP server) in multiuser setup, which significantly increases usefullness of this repository.

My changes don't go all the way to this goal, they are just the first step. I also aim for making this project testable, so the user/developer can verify he did not change the API and everything is still working.