phpass Follow @yiiframework
Wrapper for Phpass
23 followers Yii Phpass
Yii Phpass is a simple wrapper around Phpass 0.3. ¶
Strong recommendation is to keep the configuration setting 'hashPortable' as 'false' with PHP 5.3 and/or Suhosin Patch.
The other configuration setting 'hashCostLog2' with a setting of around 12 will be quite slow and secure. A value of 10 could be a decent compromise here.
Requirements ¶
- Yii 1.0 or better
- PHP 5.3 or Suhosin Patch strongly recommended
Installation ¶
- Extract the release file under
protected/extensions/phpass - Add a line to your configuration file to import the extension, inside the import array:
'import'=>array( //... 'application.extensions.phpass.*', ),
- Add to your main.php file within your Yii project, inside the components array:
'components'=>array( //... 'hasher'=>array ( 'class'=>'Phpass', 'hashPortable'=>false, 'hashCostLog2'=>10, ), ),
Usage ¶
Access the Phpass object:
Yii::app()->hasher
For a New Password:
$theirHashToStore = Yii::app()->hasher->hashPassword($theirPassword);
Authenticate an Existing Password:
$isValid = Yii::app()->hasher->checkPassword($theirPassword, $theirStoredHash);
- Updated release to version 0.12 - fixed security hole in PHPass source
- GitHub
Create extension
Downloads
- License: New BSD License
- Developed by: yiier
- Category: Security
- Votes: +7
- Downloaded: 629 times
- Created on: Feb 21, 2012
- Last updated: Jul 31, 2012
- Tags: phpass, bcrypt, hash, hashing, password
Total 4 comments
@boaz - Thanks. I've orphaned the code in the phpass source, and provided a version 0.12 update to the Yii extension, which references the orphaned phpass code.
Any problems, please let me know ASAP.
Hi,
Just reported a bug in PHPAss but I wanted to inform users here about it. In short, I had a bug in my application in which when I compared the passwords during login, I gave null as the hashed password parameter. The bug is that PasswordHash->CheckPassword() returned "valid" on this situation, in effect accepting any password the user inputted! Luckily I had caught this very early in my development.
EDIT: link to bug was bad. Will try to somehow open a bug and if successful I'll quote it here.
EDIT(2): Ok, submitted a bug by email, hopefully to the relevant location. Lets see what the response will be.
EDIT(3): Problem solved: First, the solution: Edit PasswordHash.php class, which is included in the PHPAss extension, edit method CheckPassword() (notice the capital first letter). Change the last line to use '===' instead of '=='. Synopsis: The following information was given by Alexander, a developer that works on PHPAss. Problem is in PHP actually, and to be exact (and we need to be exact here) its PHP package for Ubuntu 11.04, 64, of package libapache2-mod-php5 v5.3.5-1ubuntu7.7. This version is slightly old and includes a bug in php's crypt() function. The bug is related to "php_crypt_revamped.patch" issue in PHP (didn't dive into the details). So the bug is in PHP, and applies to some versions of PHP on ubuntu (possibly on other Linux or OS) but the workaround is given in the solution above. Good luck with it!
Edit(4): Some more details on a security notification on Openwall Linux distro: http://www.openwall.com/lists/oss-security/2012/05/04/7
FYI! Boaz.
Hi resurtm,
I have updated the docs a bit to include some installation instructions.
What about phpass settings? I mean iteration count and hashes portability arguments in PasswordHash class constructor.
Leave a comment
Please login to leave your comment.