Discuss On Cpasswordhelper

CRYPT_BLOWFISH security fix details

Q1: Should this be included as one of the requirement of Yii 1.1.14?

Did it means when php version is less than 3 then they must use the unsafe fallback and if less than 3.7 then they must face the security issue? And Why crypt_blowfish? not Bcrypt or PBKDF2? or just let us chose.

I read though the following articles.

1.CPasswordHelper Class Reference

2.wiki: Use crypt() for password storage

3.Blog Tutorial: prototype.auth

Q2: My 2nd question is What if my database is not using latin1, it’s utf8. will it increase the size of DB, since the datatype is char not binary. (My server providing MySQL5.5)

Q3: Some said Client side encryption is useful. is that true?

Q4: What is your suggestion? use or not to use CPasswordHelper, what are the advantages of using it. Do i need to implement PBKDF2(which is i preferred in fact), i found several implementations and i even made one of my own version, it is easy.

Isn’t Bcrypt another name for crypt_blowfish? And following the manual for PBKDF2, crypt_blowfish (used in password_hash in PHP 5.5) is preferred over it.

As for the requirements of the PHP version I followed the discussion in the Github repo for the compatibility lib for password_hash and there were no obvious solution.

For your second question it’s not clear to me what you refer to, you have to rephrase it.

The third question is even more weird.

In my yii-usr module I decided to use password_hash or the compatibility lib for older PHP versions. If you have really old version of PHP you have to decide yourself what to use.

Thank you very much for your reply. Sometimes when people lost, They need warm-hearts’ favor for point the way out. I am a sucker for password storage, I have to admit.

Since most of hosting services have upgraded to 5.3++, My first question seems outdated. What did i learn form your words is that crypt_blowfish is just another name for bcrypt? I also have this sort of feeling, but can you confirm that they are exactly the same? Anyway, It is not important. When talking about not to use bcrypt or not to use PBKDF2, supporters from both side have made their points, I guess there are not right or wrong here, so that i don’t expect the answer already. I think your suggestion is i should go ahead with CPasswordHelper, it is secuery and future proofing as well, I should not hesitate.

UPDATE: However if CPasswordHelper is using crypt, there may be a problem, please check out the following post form stackoverflow.Here:How do you use bcrypt for hashing passwords in PHP?

For Q2, the case is closed. i was misunderstanding about how MySQL store CHAR data.

It takes 1 bytes to store a latin1 character and 1 to 3 bytes to store a UTF8 character.

For Q3, Some people said without client-side encryption or ssl, it may cause man-in-middle hacking to get your account data, so that some people suggest to use javascript to encrypt it before pass it to server. By using RSA…Is this necessary? I noticed some companies are ignoring this portion. So i guess it maybe optional. :blink: Because our router is secure enough? perhaps.

For Q4, your Extension seems awesome, i am just checking it out.

Perhaps I can shed some light on this: bcrypt is a hashing method that can use blowfish among two other options: MD5 and 3DES. Now what bcrypt does is, it requires a salt and applies the selected crypto method several times on the original key. This is seomthing called key stretching which is - among other things - making pre-computed attacks on stored key hashes (e.g. via rainbow tables) a lot harder.

Well, without SSL, man-in-the-middle attacks aren’t the risk but full disclosure of login credentials. Just use SSL and have your server handle out proper crypto algorithms. This is an invaluable tool for that. As far as I am concerned: I do not put any trust into js-based crypto implementations. Not because it weren’t possible. But there are just so many ways to shoot yourself into the foot with poor implementations or design flaws.