Yii 1.1: Secure password hash storage and a Yii helper extension



This wiki has been replaced by Use crypt() for password storage.

Total 5 comments

#6140 report it
marcovtwout at 2011/12/15 08:44am

Re: General passord handling policies You are right, using weak encryption in tutorials without a proper explanation is misleading and should be corrected where possible.

Re: OWASP You are right, that OWASP article you found is outdated. With the power of modern day GPU's, requirements on password strength have changed: password length is the most important (min. 12 chars), but mixed case and adding numbers/symbols still adds significant complexity. In the end, you want passwords that are easy to remember, but hard to crack.

For more guidelines as to password strength, this serves me well: http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords

#6041 report it
fsb at 2011/12/07 10:31am

@rtfm: Agreed about that OWASP article.

…it Checks If The Password Contains Characters From Each Of The Following Character Sets: CHAR_LOWERS, CHAR_UPPERS, CHAR_DIGITS, CHAR_SPECIALS. Finally, it calculates the password strength by multiplying the length of the new password by the number of character sets it is comprised of. A value of less than 16 is considered weak…

This is a good example of why I don't use such password strength meters, they give dangerously stupid answers. "H@ckMe1" by this algorithm has a reassuringly high strength of 28 but its entropy, assuming the user's native language is English, is very low. A dictionary attack will get it.

#6026 report it
fsb at 2011/12/06 10:42am
General passord handling policies

The comments of rtfm and marcovtwout are welcome. Such matters are beyond the scope of what I wanted to address.

I wanted to focus on the chronic problem of insecure password hashing. I am unhappy that influential tutorials, guides and books routinely demonstrate poor methods. If they are going to punt on the problem it would be better if these guides saved password in plaintext forcing users to take responsibility for researching appropriate methods.

#6024 report it
hofrob at 2011/12/06 09:35am

"put requirements on things like minimum password length, using uppercase and lowercase characters, etc."

Minimum length should be the only requirement. Upper/lower case and numbers are not making your passwords any more secure (the improvement is negligible). And maybe a hint that people should use passphrases instead of passwords.

And judging from this article: Password length & complexity I wouldn't use OWASP as a reference.

#6023 report it
marcovtwout at 2011/12/06 08:24am
For completeness

You touched all the important points in this article for storing passwords: using salt, a slow hashing algoritm, real randomness.

For completeness, don't forget to define a password policy for your application and users as well, for example:

  • when sending out passwords (over email), send users a one-time password that must be changed on login.
  • put requirements on things like minimum password length, using uppercase and lowercase characters, etc.
  • make sure your application doesn't give out information like existing usernames or emailadresses, through feedback on the login form or a forgot password form.

The OWASP is your friend here: https://www.owasp.org/index.php/Main_Page

Leave a comment

Please to leave your comment.

Write new article