Class for bcrypt / 1-way encryption
It would be great if Yii had built in functions for using bcrypt to hash passwords (PHP ‘crypt’ function, available since 5.3). It is slow and includes a work factor to keep up with increases in computing power. I recently read this article, and a lot of people on stackoverflow are advocating bcrypt:
In my own Yii application, I’ve implemented the following class as a component that I use for saving passwords and authentication:
Blog Demo from Yii install needs to be updated
The blog demo included with the Yii installation is using md5($salt.$password). Eeek! That should be updated so it is using stronger encryption.
Docs Needed: An article about storing passwords
People are still using MD5, and this is a problem. Sometimes it is without a salt, and these passwords can easily be looked up with a rainbow table. Even with a salt, it’s vulnerable to dictionary and brute-force attacks. I blame a lot of the lackluster PHP tutorials and scripts that litter the web. The more education and default-functionality that can be done on this, the better. I’m not a security expert either, and I am trying to work with the best information available.
Just adding: There is the phpass project implementing strong(er) password storage while still allowing to fall back to MD5. I’ve been planning to write a Yii-extension for that. Of course, if it’ll be all the better if this is done in vanilla Yii
Actually, there isn’t any password hashing method in the Yii framework. The blog demo uses md5() and it could be better, but it’s just demo code, not framework code. Moreover, Yii actually uses PHP 5.1+, while crypt() (with support for decent algorithms) is 5.3+.
Really? Then what is the purpose of CSecurityManager?
There isn’t any specific password hashing method inside CSecurityManager, indeed the blog demo doesn’t use any CSecurityManager feature.
It mainly contains encryption/decryption and HMAC computation facilities.
A little… but… well, HMAC computation is a kind of hashing but usually you don’t use it to hash passwords. Moreover, PHP 5.1.2+ provides a built-in HMAC method, so it’s just legacy support for PHP 5.1.0 and 5.1.1.
I actually thought that CSecurityManager was for hashing as well, and that it just didn’t have a good explanation. Then I realized it was for 2-way encryption, not 1-way encryption. It has encrypt and decrypt.
I’d vote for adding a secure hashing method like bcrypt to CSecurityManager.
Agreed, Yii should encourage higher security algorithms, at least better e.g. MD5:-)
SSHA with variable salt may be good replacement for MD5, it is significantly more secure and still fast:
The bcrypt function from above:
seems to be written only for *nix, not windows and I think it is too slow.
I don’t think there’s a need for adding a special hashing method to CSecurityManager. bcrypt just does some expensive stuff to make cracking slower. The same can be done with sha1(). Just iterate the function 1000 times for example. I think each individual developer should implement any additional protection if a simple sha1($password) is not enough. Also PHP 5.3.2+ supports native bcrypt with rounds and iterating hashes (see Example #3).
The blog demo is like already noted just a demo. If one wants to use the blog in production, then modifictions should be done by the individual developer if needed.
I suppose it isn’t necessarily needed as part of Yii. Implementing the class I mentioned was real easy and uses the crypt function you mention, plus a few functions for generated a salt and verifying. I do think that an article should be added to the Guide about storing passwords.
Well, I kinda disagree with this. As a demo, it can be really basic, but I also think it has a responsibility as something official, to be setting an example for security. Beginners will often use or modify demos/examples and put them online, without knowing fully how they work. There can be a footnote that says, ‘…and make it secure’, which is expecting the developer to know how to do this, which isn’t always the case (just look at some recent hacks of some large websites; some even stored passwords in plaintext).
Follow-up: There’s now a wiki article covering Yii and phpass.