I wish to add an extra layer of security to my product (web app that people download and install on their server) that have a module that allows me, the developer, to access their sites instantly with just one link. The way I thought about this specific layer, which is on top of your basic security, is, everyone who buys my product will get a copy of this public hash. As of now, I compute this hash with
password_hash( 'mypassword', PASSWORD_BCRYPT, ['cost'=>20'] ), it creates a strong password, supposedly unbreakable.
When I’m trying to access their website with it, and so, I pass the plain-text in a password field, I simply do
password_verify on the input. If the input provided matches (after hashing) the public hash, then it means the passwords match.
A problem with all of this, however. If one of my customers is running on HTTP only or an attacker tricked me into accessing his evil site, he’ll see this in plain-text. Now, this password is cycled every 12h or on some triggers and on its own, it’s useless, but is this really a good way of solving the issue?
In other words, if I “leak” my hash to the public, is
bcrypt, 12 hours with resets happening on triggers such as if a customer’s site is on HTTP enough to stagger attackers enough?
This is just an additional layer that adds an extra step for an attacker to work through.