Password and other sensitive data in user identity

This might be a stupid question but is it secure to store things as password, auth_key, etc in the user identity?

1 Like

Hi @YiiHumanoid, welcome to the forum.

We can not help but store those sensitive data per user in one way or another. Or, we would not be able to authenticate any user in the first place.

What do you have in mind when you feel unsecure about storing them in a database table?

Well, I didn’t think much about it and I thought the user identity may be, somehow, accessed by the user or a bad actor.

It’s true that there’s always a possibility of the content of a database table being stolen. It might be via a SQL injection attack or more probably by a social hacking. We have to protect our database tables against those attacks. But we can’t get rid of the password field from the table that is used for user identity.

BTW, yii’s authentication framework doesn’t save a raw password into the table. It’s a hash of the password that is stored. Usually you won’t be able to use the hash for login even if you could get it via some bad act.

This is very, very important. Never ever store a password in a database.