User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active
Yii 2 Working with Passwords

Working with Passwords

Most developers know that passwords cannot be stored in plain text, but many developers believe it's still safe to hash passwords using md5 or sha1. There was a time when using the aforementioned hashing algorithms was sufficient, but modern hardware makes it possible to reverse such hashes and even stronger ones very quickly using brute force attacks.

In order to provide increased security for user passwords, even in the worst case scenario (your application is breached), you need to use a hashing algorithm that is resilient against brute force attacks. The best current choice is bcrypt. In PHP, you can create a bcrypt hash using the crypt function. Yii provides two helper functions which make using crypt to securely generate and verify hashes easier.

When a user provides a password for the first time (e.g., upon registration), the password needs to be hashed:

$hash = Yii::$app->getSecurity()->generatePasswordHash($password);

The hash can then be associated with the corresponding model attribute, so it can be stored in the database for later use.

When a user attempts to log in, the submitted password must be verified against the previously hashed and stored password:

if (Yii::$app->getSecurity()->validatePassword($password, $hash)) {
    // all good, logging user in
} else {
    // wrong password

Заберите ссылку на статью к себе, чтобы потом легко её найти ;)

Выберите, то, чем пользуетесь чаще всего:

Спасибо за внимание, оставайтесь на связи! Ниже ссылка на форум и обсуждение ; )

Log in to comment

Discuss this article

INFO: You are posting the message as a 'Guest'