password cleanups / added bcrypt as secure password storage

[lifeofguenter]

I did some cleanups on the password handling on poweradmin

• I am guessing if you wanted to change $password_encryption, you would have to change it first in "config-me.inc.php" - but during installation it would always only hash the admin password as md5 anyway (broken feature?). This is fixed now, e.g. if you change the value of $password_encryption prior installing, it will hash the admin password accordingly.
• I took all "password generating functions" away from toolkit.inc.php and put it into the separate file password.inc.php so that I could include it easily into the installer without including the heavyweight of toolkit itself
• I added bcrypt hashing (which is de-facto safest and standard beginning with PHP5.5. To activate enable following in the config-me.inc.php _prior_ to installing:

$password_encryption = 'bcrypt'; // md5, md5salt or bcrypt
$password_encryption_cost = 12; // needed for bcrypt

• I added a timing attack safe string comparison for the legacy password storages (with bcrypt it is already built-in) via @ircmaxell
• Replaced rand with mt_rand in generate_salt (which does not make it perfect, but hey better than nothing)

[stasic]

Hi,
that looks really nice!
I have some questions regarding your pull request:
Why do you use namespace ?
Are you sure that install/database-structure.inc.php is working with %s properly?
We need function needs_rehash!

Thanks
-arsen

[lifeofguenter]

Thanks for the feedback!

Why do you use namespace ?

To artificially put up the requirements to a sane PHP version.

Are you sure that install/database-structure.inc.php is working with %s
properly?

Yes it gets sprintfted - I tested the code BTW ;)

We need function needs_rehash!

Definitely - but so far it looks here like dry land, so I would not put up
high hopes.

Thank you again for your feedback. Highly appreciated.

[SebTM]

@edmondas I had a look at it and think it's done good so we can merge?

[edmondas]

@SebTM In general it looks fine, so I'm merging it

[edmondas]

@lifeofguenter did you remember what should be implemented here?

[lifeofguenter]

It would just be a wrapper around http://php.net/manual/en/function.password-needs-rehash.php in case one would want to upgrade his bcrypt settings, e.g. make sure that users after successfully logging in have their password hashes updated. It's also fairly simple to upgrade from md5 to bcrypt in the background (e.g. check if hex + 32 chars). I didn't implement it because I did not get any feedback for a long time, and naturally there are some stuff which I wouldn't even want to make backward compatible because they are so outdated :)