Password Encryption

Hello Friends…

         Am creating the employee registration form. while registration the password is not encrypted it directly entered in to the db. While user enter into their own login we have change Password option. on that am using simple update query to change the password with "md5". Now after updating the password is encrypted but I cant login?

Any other logic needed?

whatever I want to encrypt the password!

Help me out.

thank you

When the password is stored as encrypted in the database, and the user wants to log in, you need to encrypt the password he enters and compare to the encrypted version in database.

If you are using the same field in database for the password and the encrypted password, you have to check both the password entered by the user and the encrypted version of it against the database. But that is very bad design :)I suggest you create a new field in the database for the encrypted version of the password, and as the users update/change their passwords, you set the clear text password field to NULL and start using the encrypted version. As you start digging into this security matter, I also suggest you look into salting passwords.

hi paul

Thanks for your suggestion…

   On my case i have 2 application one is for admin and another is for employee. Admin have rights to register the employee. the registered user only acess the employee portal. I encrypt password in the admin portal while registration. and i need to login in the employee portal. 








Now I use [url="http://www.yiiframework.com/wiki/240/authenticating-against-phpass-hashes-with-yii"]this[/url]

in my registration form. when we save in the db the password will be encrypted. But I cant login. While employee enters, authenticate with help of password hash. this authenticate process done in employee portal "useridentity".

This is the case.

change the UserIdentity to authenticate against your User model from DB and compare it.

Hi ahamed… this my user identity… i didnt login…

class UserIdentity extends CUserIdentity

{

private $_id;


public function authenticate()

{

$record=User::model()->findByAttributes(array(‘username’ => $this->username));

$ph=new PasswordHash(Yii::app()->params[‘phpass’][‘iteration_count_log2’], Yii::app()->params[‘phpass’][‘portable_hashes’]);

if($record===null)

$this->errorCode=self::ERROR_USERNAME_INVALID;

//else if(md5($this->password)!==$record->password && !$ph->CheckPassword($this->password, $record->password))

else if ( $ph->password !== $record->password)





$this->errorCode=self::ERROR_PASSWORD_INVALID;

else

{

                            $this->_id=$record->id;


                            $this->username=$record->username;


                            $this->errorCode=self::ERROR_NONE;


                    }                 


            


            return!$this->errorCode;


    }          


   public function getId() 


	{


            return $this->_id;


			


    }

}

could you post you code snippet using code button(<>) because it makes me to read your snippet more easily

according to the wiki you mentioned in your previous post describes that to verify passwords using the code below that will returns true on equals




    $ph->CheckPassword($this->password, $record->password)



but you are using




    $ph->password !== $record->password




class UserIdentity extends CUserIdentity

{

    private $_id;

    public function authenticate()

{

  $record=User::model()->findByAttributes(array('username' => $this->username));

  $ph=new PasswordHash(Yii::app()->params['phpass']['iteration_count_log2'], Yii::app()->params['phpass']['portable_hashes']);

  if($record===null)

    $this->errorCode=self::ERROR_USERNAME_INVALID;

  //else if(md5($this->password)!==$record->password && !$ph->CheckPassword($this->password, $record->password))

    else if ( $ph->password == $record->password)

	

	//$this->errorCode=self::ERROR_PASSWORD_INVALID;

	echo "bad";

  else

  

   {

                                $this->_id=$record->id;

								$this->password=$record->password;

                                $this->username=$record->username;

                                $this->errorCode=self::ERROR_NONE;

                        }                 

                

                return!$this->errorCode;

        }          

       public function getId() 

		{

                return $this->_id;

				

        }

}

if am using this it will enter with the help of username itself… if i gave wrong password it will entered.

what?

why you cannot use CPasswordHelper provided by Yii. because the wiki you have followed was too old and many of the things are changed so to be smart use CPasswordHelper

now am solve the problem… Am using md5 for the registration form and for the authentication, I changed the password into md5… But also i got error. "md5($model->password)"

       Then i find out where the problem is. there is no problem in &quot;md5(&#036;model-&gt;password)&quot; the problem is in the DB. I intialize PASSWORD varchar(15), that is the problem. Because when encryption the size should be more than 25 so cant compare the password properly it shows error. I changed into varchar(50). now i solve the problem..

thank you ahamad and all the friends.