Download the PHP package org_heigl/password without Composer

On this page you can find all versions of the php package org_heigl/password. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Example code of org_heigl/password

Informations about the package password

org_heigl/password

An Object for passwords - Stop leaking passwords to logs or stacktraces!

Password-Workflow Build Status Coverage Status Scrutinizer Code Quality

License Latest Stable Version Total Downloads

Scope

This package contains an Object that can be used and passed just like you would use a plaintext-password. The only difference is that the plaintext-password will not be accidentaly leaked into log-files or stacktraces or var_dump-output.

The scope is not to provide a Cryptographically Secure Password or a ValueObject that you can just pass to your Persistence-Layer for storage. On the contrary. You shall never store this Object

This is only a thin wrapper around your password-string that tries to guard you from accidentally leaking the password string where you don't want to see it.

The object stores the password encrypted using sodium_crypto_secretbox. So should one find a way to expose the private property to the public there will only be an encrypted binary code. The nonce and the key to encrypt and decrypt are stored in constants and will be replaced on every request. So when you create two Password-objects within one request they will both use the same nonce and key. As those value are stored as constants they will not leak by accident. You will have to actively address them. Preventing that is outside the scope of this package!

As the goal of this Object is not to store the password in a secure way (you will use a hashing algorithm for that, won't you?) but to prohibit it from accidentally leaking in cleartext that is a compromise I'm willing to take.

Why?

The discussions that spun up around twitter leaking passwords to logfiles left me thinking.

It can actually happen quite easily to have passwords come up into log-files when you put stack-traces into logs. And that brought me to thinking how to avoid that accidentally. The answer to me is a vaule-object with a bit of logic that handles the password but won't accidentaly leak it.

Just today (21st of March 2019) another leakage of cleartext passwords was announced. This time multiple 100 million accounts at facebook where leaked over multiple years. Read more on Krebs on Security or directly at Facebook

Installation

This is best installed using composer like this:

Usage

Instead of passing the password as a string create a Password-Object and pass that.

You can additionally directly use PHPs password-hashing API:

Additionally you can get a new hash for the password like this:

And to wrap up the API of PHPs password-hashing API there's also a method to check whether the password should be rehashed

And to be able to store the password securely in a database you can retrieve the password hashed using

where $argument and $options are the corresponding arguments to password_hash

If you really need to get the plaintext password the password-object was initialized with (f.e. for use with ) you can do that as well:

All versions of password with dependencies

PHP Build Version
Package Version
Requires php Version ^7.2
ext-sodium Version *
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package org_heigl/password contains the following files

Loading the files please wait ....