Best place to hash the password

nasht00 · August 17, 2011, 2:06pm

I am very new to Yii, so bare with me as I get my feet wet.

I want passwords to be stored with MD5 (or whatever works). Where would be the best place to do this?

User controller? User model? Higher up?

Could you give an example?

Thanks

ramram · August 17, 2011, 3:36pm

User Model in beforeSave method.

here is a sample code


  public function beforeSave() {

        if (parent::beforeSave() && $this->isNewRecord) {

            // for example

            $this->password = md5($this->password . Yii::app()->params['saltString']);

        }

        return true;

    }

andrew2mar · August 17, 2011, 7:24pm

I would just suggest using http://www.openwall.com/phpass/ or something similar as using MD5 for passwords is a bad idea.

dniznick · August 17, 2011, 9:24pm

Actually…

The fact that rainbow tables exist for MD5 hashes does not mean it is a poor method. What it means is that you should salt your hashes so that brute force attacks using tables become infeasible.

k4emic · August 17, 2011, 9:40pm

Using sha1() with unique salt should be sufficient for most security needs.

I recently had the same question when starting out with Yii and opted go go with something like this:




class User extends CActiveRecord {


	// container for plaintext password when entered

	private $_password;


	/**

	 * Used to check if a given password matches the current password

	 * @return boolean True if the given password matches the users password

	 */

	public function validatePassword($password) {

		return $this->_hashPassword($password, $this->salt) == $this->password_hash;

	}


	/**

	 * Changes the users password. Updates user salt as well.

	 * @param string $password

	 */

	public function setPassword($password) {

		$this->_password = $password;

		$this->salt = $this->_generateSalt();

		$this->password_hash = $this->_hashPassword($password, $this->salt);

	}


	public function getPassword() {

		return $this->_password;

	}


	/**

	 * Returns a hash based on the password and the salt

	 * @param string $password

	 * @param string $salt

	 * @return string sha1 hash

	 */

	private static function _hashPassword($password, $salt) {

		return sha1($salt.$password);

	}


	/**

	 * @return string Random salt

	 */

	private static function _generateSalt() {

		return uniqid(null, true);

	}

}

nasht00 · August 22, 2011, 12:49pm

I was actually planning on using crypt().


$this->password = crypt($this->password,Yii::app()->params['saltString']);