Secure password hash storage and a Yii helper extension

Yii Framework Wiki

Writenew article

Popular Tags

Secure password hash storage and a Yii helper extension

Obsolete ¶

This wiki has been replaced by Use crypt() for password storage.

13 0

13 followers

Viewed: 35 016 times

Version: 1.1

Category: Tutorials

Tags: encrypt, hash, password, random, security

Written by: fsb

Last updated by: fsb

Created on: Dec 3, 2011

Last updated: 7 years ago

Update Article

Revisions

View all history

7 years ago by fsb
Obsolete since 1.1.14
8 years ago by fsb
updated code formatting

User Contributed Notes 5

#6023

1 0

For completeness

You touched all the important points in this article for storing passwords: using salt, a slow hashing algoritm, real randomness.

For completeness, don't forget to define a password policy for your application and users as well, for example:

when sending out passwords (over email), send users a one-time password that must be changed on login.
put requirements on things like minimum password length, using uppercase and lowercase characters, etc.
make sure your application doesn't give out information like existing usernames or emailadresses, through feedback on the login form or a forgot password form.

The OWASP is your friend here: https://www.owasp.org/index.php/Main_Page

marcovtwout at Dec 6, 2011, 1:24:16 PM

#6024

1 0

@marcovtwout

"put requirements on things like minimum password length, using uppercase and lowercase characters, etc."

Minimum length should be the only requirement. Upper/lower case and numbers are not making your passwords any more secure (the improvement is negligible). And maybe a hint that people should use passphrases instead of passwords.

And judging from this article: Password length & complexity I wouldn't use OWASP as a reference.

hofrob at Dec 6, 2011, 2:35:27 PM

#6026

2 0

General passord handling policies

The comments of rtfm and marcovtwout are welcome. Such matters are beyond the scope of what I wanted to address.

I wanted to focus on the chronic problem of insecure password hashing. I am unhappy that influential tutorials, guides and books routinely demonstrate poor methods. If they are going to punt on the problem it would be better if these guides saved password in plaintext forcing users to take responsibility for researching appropriate methods.

fsb at Dec 6, 2011, 3:42:44 PM

#6041

1 0

OWASP

@rtfm: Agreed about that OWASP article.

…it checks if the password contains characters from each of the following character sets: CHAR_LOWERS, CHAR_UPPERS, CHAR_DIGITS, CHAR_SPECIALS. Finally, it calculates the password strength by multiplying the length of the new password by the number of character sets it is comprised of. A value of less than 16 is considered weak…

This is a good example of why I don't use such password strength meters, they give dangerously stupid answers. "H@ckMe1" by this algorithm has a reassuringly high strength of 28 but its entropy, assuming the user's native language is English, is very low. A dictionary attack will get it.

fsb at Dec 7, 2011, 3:31:34 PM

#6140

0 0

Re:

Re: General passord handling policies
You are right, using weak encryption in tutorials without a proper explanation is misleading and should be corrected where possible.

Re: OWASP
You are right, that OWASP article you found is outdated. With the power of modern day GPU's, requirements on password strength have changed: password length is the most important (min. 12 chars), but mixed case and adding numbers/symbols still adds significant complexity. In the end, you want passwords that are easy to remember, but hard to crack.

For more guidelines as to password strength, this serves me well: http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords

marcovtwout at Dec 15, 2011, 1:44:30 PM

Categories

Popular Tags

Recent Comments