Yii 1.1: phpass

Wrapper for Phpass
24 followers

Yii Phpass

Yii Phpass is a simple wrapper around Phpass 0.3.

Strong recommendation is to keep the configuration setting 'hashPortable' as 'false' with PHP 5.3 and/or Suhosin Patch.

The other configuration setting 'hashCostLog2' with a setting of around 12 will be quite slow and secure. A value of 10 could be a decent compromise here.

Requirements

  • Yii <= 1.1.13; for 1.1.14+, Please Use CPasswordHelper
  • PHP 5.3, A Newer Version Or Suhosin Enabled

Installation

  • Extract the release file under protected/extensions/phpass
  • Add a line to your configuration file to import the extension, inside the import array:
'import'=>array(
    //...
    'application.extensions.phpass.*',
),
  • Add to your main.php file within your Yii project, inside the components array:
'components'=>array(
    //...
    'hasher'=>array (
        'class'=>'Phpass',
        'hashPortable'=>false,
        'hashCostLog2'=>10,
    ),
),

Usage

Access the Phpass object:

Yii::app()->hasher

For a New Password:

$theirHashToStore = Yii::app()->hasher->hashPassword($theirPassword);

Authenticate an Existing Password:

$isValid = Yii::app()->hasher->checkPassword($theirPassword, $theirStoredHash);
  • Updated release to version 0.12 - fixed security hole in PHPass source
  • GitHub

Total 9 comments

#16322 report it
kuya1284 at 2014/02/10 03:08pm
Made some modifications

Thank you for putting this together. I made some modifications to your code, which you can see here:

http://pastebin.com/AbRcGLv2

I typically don't like putting (external) vendor libraries in my extensions directory, because I feel that defeats the purpose of the vendors directory. So I added a $libPath property, which is pretty standard practice from what I've seen in other extensions. I also made some other modifications, which you can see in the pastebin URL.

Also, instead of having to add a line in your list of imports, all you really need to do is this:

'hasher' => array(
    'class' => 'ext.phpass.Phpass',
    'libPath' => 'application.vendors.phpass.PasswordHash',
    'hashPortable' => false,
    'hashCostLog2' => 10
)

I hope this helps. Thanks again for whipping this up.

#15174 report it
yiier at 2013/10/14 08:47pm
Re[3]: Requirements

Done; added reference to CPasswordHelper for Yii >= 1.1.14.

#15173 report it
Da:Sourcerer at 2013/10/14 08:32pm
Re[2]: Requirements

I think it's simply a matter or rephrasing:

Php 5.3, A Newer Version Or suhosin

It also wouldn't hurt to mention CPasswordHelper. (And yes, I'll update my article soon as well)

#15172 report it
yiier at 2013/10/14 08:16pm
re: Requirements

@Da:Sourcerer -- Thanks for pointing this out. That was derived from the phpass website: http://www.openwall.com/phpass/

What should the requirements be?

#15171 report it
Da:Sourcerer at 2013/10/14 08:06pm
Requirements

This one is a bit wierd:

PHP 5.3 or Suhosin Patch strongly recommended

To my knowledge, v5.3 has been the last version with a working suhosin patch.

#9258 report it
yiier at 2012/07/31 11:27pm
re: bug notice (in PHPAss itself)

@boaz - Thanks. I've orphaned the code in the phpass source, and provided a version 0.12 update to the Yii extension, which references the orphaned phpass code.

Any problems, please let me know ASAP.

#7982 report it
Boaz at 2012/05/01 02:36am
bug notice (in PHPAss itself)

Hi,

Just reported a bug in PHPAss but I wanted to inform users here about it. In short, I had a bug in my application in which when I compared the passwords during login, I gave null as the hashed password parameter. The bug is that PasswordHash->CheckPassword() returned "valid" on this situation, in effect accepting any password the user inputted! Luckily I had caught this very early in my development.

EDIT: link to bug was bad. Will try to somehow open a bug and if successful I'll quote it here.

EDIT(2): Ok, submitted a bug by email, hopefully to the relevant location. Lets see what the response will be.

EDIT(3): Problem solved: First, the solution: Edit PasswordHash.php class, which is included in the PHPAss extension, edit method CheckPassword() (notice the capital first letter). Change the last line to use '===' instead of '=='. Synopsis: The following information was given by Alexander, a developer that works on PHPAss. Problem is in PHP actually, and to be exact (and we need to be exact here) its PHP package for Ubuntu 11.04, 64, of package libapache2-mod-php5 v5.3.5-1ubuntu7.7. This version is slightly old and includes a bug in php's crypt() function. The bug is related to "php_crypt_revamped.patch" issue in PHP (didn't dive into the details). So the bug is in PHP, and applies to some versions of PHP on ubuntu (possibly on other Linux or OS) but the workaround is given in the solution above. Good luck with it!

Edit(4): Some more details on a security notification on Openwall Linux distro: http://www.openwall.com/lists/oss-security/2012/05/04/7

FYI! Boaz.

#7062 report it
yiier at 2012/02/21 11:01pm
re: Settings

Hi resurtm,

I have updated the docs a bit to include some installation instructions.

#7061 report it
resurtm at 2012/02/21 10:41pm
Settings

What about phpass settings? I mean iteration count and hashes portability arguments in PasswordHash class constructor.

Leave a comment

Please to leave your comment.

Create extension