Yii Framework Forum: Best location to md5 the password - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Best location to md5 the password Rate Topic: -----

#1 User is offline   Daniel 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 218
  • Joined: 26-September 09

Posted 15 March 2010 - 09:23 PM

Hi all,

I have confuse where should I md5 the password. If I put it on the beforeSave() on the User model, I will have a problem when updating the module, the already md5 password will be md5 again. At the moment, I put a check on the beforeSave() so that the password with length = 32 will not be md5 again. The only drawback with this solution is that the user cannot have a password with exactly 32 characters.

Any suggestion?

Thank you,

Daniel
0

#2 User is offline   tri 

  • Elite Member
  • Yii
  • Group: Moderators
  • Posts: 1,651
  • Joined: 20-November 08
  • Location:Stockholm, Sweden

Posted 15 March 2010 - 10:43 PM

You can check the value of $yourmodel->isNewRecord.

/Tommy
Don't forget to read The Definitive Guide to Yii (en) (sv) | The class reference has the details
0

#3 User is offline   andy_s 

  • Random Member Title
  • Yii
  • Group: Moderators
  • Posts: 1,526
  • Joined: 22-June 09
  • Location:Russia, Kostroma

Posted 16 March 2010 - 12:53 AM

And try to don't use md5 in the future, it is not very safe. Instead, choose sha256/sha512 (or other) with random salt. Just for your security ;)
0

#4 User is offline   Daniel 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 218
  • Joined: 26-September 09

Posted 16 March 2010 - 03:50 AM

View Posttri, on 15 March 2010 - 10:43 PM, said:

You can check the value of $yourmodel->isNewRecord.

/Tommy


@Tommy:
I do not use $yourmodel->isNewRecord since it is ok in registration (create) but will not handle change/update password of existing user.

@andy_s:
Thanks for the advice. I will try to look at the sha1. Which one is better, double hashing or random salt? However, random salt key should be stored somewhere since I need to match the password when the user is login.
0

#5 User is offline   andy_s 

  • Random Member Title
  • Yii
  • Group: Moderators
  • Posts: 1,526
  • Joined: 22-June 09
  • Location:Russia, Kostroma

Posted 16 March 2010 - 04:26 AM

Quote

I do not use $yourmodel->isNewRecord since it is ok in registration (create) but will not handle change/update password of existing user.


You can add property newPassword to your model. The corresponding field should appear in an update form. In your rules() you should define it "safe" for "update" scenario ('on'=>'update'). In the beforeSave() method just check it for emptyness (if not empty, then $this->password = md5($this->newPassword)).

Quote

Which one is better, double hashing or random salt? However, random salt key should be stored somewhere since I need to match the password when the user is login.


Double hashing or simple salt don't give a very big additional security. If users type the same passwords, they will still hash to the same value (not good at all). And yes, you will need one more field in the database to store randomly generated salt (CHAR(16) should be enough).
0

#6 User is offline   lgoss007 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 88
  • Joined: 01-October 09

Posted 16 March 2010 - 07:03 AM

View PostDaniel, on 16 March 2010 - 03:50 AM, said:

@andy_s:
Thanks for the advice. I will try to look at the sha1. Which one is better, double hashing or random salt? However, random salt key should be stored somewhere since I need to match the password when the user is login.


sha1 has proven collision attacks and isn't recommended. Use sha256, sha512, whirlpool..
0

#7 User is offline   Mike 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 3,013
  • Joined: 06-October 08
  • Location:Upper Palatinate

Posted 16 March 2010 - 07:43 AM

@Daniel:
This is one of the most frequently asked questions :)
Please check e.g. this:
http://www.yiiframew...ly-when-changed
0

#8 User is offline   Daniel 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 218
  • Joined: 26-September 09

Posted 16 March 2010 - 08:12 AM

View PostMike, on 16 March 2010 - 07:43 AM, said:

@Daniel:
This is one of the most frequently asked questions :)
Please check e.g. this:
http://www.yiiframew...ly-when-changed



@Mike,

Thanks for pointing it out. Somehow, I am overwhelmed with the categories of the forum. Hence, I only used General Discussion for Yii 1.1.x category for all of my post.

Apologise to this mistake. I will more carefully (search forum for the existence before posting a new one).

To all of you, thank you for the quick and helpful responses.
0

#9 User is offline   Nique 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 41
  • Joined: 10-May 09
  • Location:the Netherlands

Posted 16 March 2010 - 09:48 AM

$password = crypt(md5($password),md5($salt));


no need for a 32 character field in your database .. just VARCHAR(13) ;)
0

#10 User is offline   ekerazha 

  • Advanced Member
  • PipPipPip
  • Yii
  • Group: Members
  • Posts: 525
  • Joined: 10-October 08
  • Location:European Union

Posted 16 March 2010 - 08:51 PM

View PostDaniel, on 15 March 2010 - 09:23 PM, said:

Hi all,

I have confuse where should I md5 the password. If I put it on the beforeSave() on the User model, I will have a problem when updating the module, the already md5 password will be md5 again. At the moment, I put a check on the beforeSave() so that the password with length = 32 will not be md5 again. The only drawback with this solution is that the user cannot have a password with exactly 32 characters.

Any suggestion?

Thank you,

Daniel


Just do it inside the register action (user controller).

$model->password=hash('sha256', $salt.$model->attributes['password']);

This post has been edited by ekerazha: 17 March 2010 - 03:22 PM

Yii user #37
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users