Yii PHP Framework
  • Guide
  • API
  • Wiki
  • Forum
  • Community
    • Live Chat
    • Extensions
    • Resources
    • Members
    • Hall of Fame
    • Badges
  • More
    • Learn
    • Books
    • Resources
    • Develop
    • Download Yii
    • Report an Issue
    • Report a Security Issue
    • Contribute to Yii
    • Donate
    • About
    • What is Yii?
    • Release Cycle
    • News
    • License
    • Team
    • Official Logos and Design
  • Login
Yii Framework Wiki
Writenew article

Categories

  • All
  • Tips 342
  • How-tos 444
  • Tutorials 287
  • FAQs 45
  • Others 56

Popular Tags

  • All
  • yii2 90
  • CGridView 69
  • AJAX 57
  • Yii 48
  • tutorial 39
  • model 31
  • i18n 30
  • authentication 28
  • security 26
  • database 24

Recent Comments

  • krishuk on Filter & Sort by calculated/related fields in GridView Yii 2.0 7 days ago
  • apalanca on Filter & Sort by calculated/related fields in GridView Yii 2.0 6 months ago
  • Beanmac77 on Moving the vendor directory for multiple projects 7 months ago
  • Beanmac77 on Moving the vendor directory for multiple projects 7 months ago
  • Jairin on Moving the vendor directory for multiple projects 8 months ago

Secure password hash storage and a Yii helper extension

Obsolete ¶

This wiki has been replaced by Use crypt() for password storage.

13 0
13 followers
Viewed: 38 320 times
Version: 1.1
Category: Tutorials
Tags: encrypt, hash, password, random, security
Written by: fsb
Last updated by: fsb
Created on: Dec 3, 2011
Last updated: 10 years ago
Update Article

Revisions

View all history
  • 10 years ago by fsb
    Obsolete since 1.1.14
  • 11 years ago by fsb
    updated code formatting

Related Articles

  • Moving project code outside of webroot (plus multiple project support)
  • Mais segurança em suas aplicações com Yii e PHPIDS
  • Force a User to Change Their Password (ChangePasswordFilter)
  • Secure password hashing with bCrypt
  • Use crypt() for password storage
User Contributed Notes 5
#6023
1 0

For completeness

You touched all the important points in this article for storing passwords: using salt, a slow hashing algoritm, real randomness.

For completeness, don't forget to define a password policy for your application and users as well, for example:

  • when sending out passwords (over email), send users a one-time password that must be changed on login.
  • put requirements on things like minimum password length, using uppercase and lowercase characters, etc.
  • make sure your application doesn't give out information like existing usernames or emailadresses, through feedback on the login form or a forgot password form.

The OWASP is your friend here: https://www.owasp.org/index.php/Main_Page

marcovtwout at Dec 6, 2011, 1:24:16 PM
#6024
1 0

@marcovtwout

"put requirements on things like minimum password length, using uppercase and lowercase characters, etc."

Minimum length should be the only requirement. Upper/lower case and numbers are not making your passwords any more secure (the improvement is negligible). And maybe a hint that people should use passphrases instead of passwords.

And judging from this article: Password length & complexity I wouldn't use OWASP as a reference.

hofrob at Dec 6, 2011, 2:35:27 PM
#6026
2 0

General passord handling policies

The comments of rtfm and marcovtwout are welcome. Such matters are beyond the scope of what I wanted to address.

I wanted to focus on the chronic problem of insecure password hashing. I am unhappy that influential tutorials, guides and books routinely demonstrate poor methods. If they are going to punt on the problem it would be better if these guides saved password in plaintext forcing users to take responsibility for researching appropriate methods.

fsb at Dec 6, 2011, 3:42:44 PM
#6041
1 0

OWASP

@rtfm: Agreed about that OWASP article.

…it checks if the password contains characters from each of the following character sets: CHAR_LOWERS, CHAR_UPPERS, CHAR_DIGITS, CHAR_SPECIALS. Finally, it calculates the password strength by multiplying the length of the new password by the number of character sets it is comprised of. A value of less than 16 is considered weak…

This is a good example of why I don't use such password strength meters, they give dangerously stupid answers. "H@ckMe1" by this algorithm has a reassuringly high strength of 28 but its entropy, assuming the user's native language is English, is very low. A dictionary attack will get it.

fsb at Dec 7, 2011, 3:31:34 PM
#6140
0 0

Re:

Re: General passord handling policies
You are right, using weak encryption in tutorials without a proper explanation is misleading and should be corrected where possible.

Re: OWASP
You are right, that OWASP article you found is outdated. With the power of modern day GPU's, requirements on password strength have changed: password length is the most important (min. 12 chars), but mixed case and adding numbers/symbols still adds significant complexity. In the end, you want passwords that are easy to remember, but hard to crack.

For more guidelines as to password strength, this serves me well: http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords

marcovtwout at Dec 15, 2011, 1:44:30 PM
Leave a comment
Please only use comments to help explain the above article.
If you have any questions, please ask in the forum instead.

Signup or Login in order to comment.

  • About
  • About Yii
  • News
  • License
  • Contact Us
  • Downloads
  • Framework
  • Documentation
  • Extensions
  • Logo
  • Documentation
  • Guide
  • API
  • Wiki
  • Resources
  • Development
  • Contribute
  • Latest Updates
  • Report a Bug
  • Report Security Issue
  • Community
  • Forum
  • Live Chat
  • Facebook Group
  • Hall of Fame
  • Badges
  • Terms of service
  • License
  • Website Source Code
  •  
  • © 2008 - 2023 Yii
  • Design: Eshill
  • Terms of service
  • License
  • Website Source Code
  •  
  • © 2008 - 2023 Yii
  • Design: Eshill
  • Supported by
  • OpenCollective
  • JetBrains logo