User Login with UserIdentity and SecurityManager

ooaat · May 26, 2009, 5:11pm

I was wondering if anyone had tried using the security features of CSecurityManger to encrypt/decrypt hash/unhash a users password.

I am still learning Yii and Php but could you do something like this or is there a much better way;

Model:

In the controller you would action the encrypt when creating a user/account

Just not sure how you would decrypt successfully and compare in the Useridentity.

It was just an idea… let me know if I am heading down the wrong path. Any suggestions or discussion would be fantastic.

ooaat · May 26, 2009, 7:19pm

Anyone got a point of view or advice??

rickgrana · May 27, 2009, 5:09am

I use MD5 to encrypt my user's passwords. It is not a good idea (by sucerity reasons) to have a way to decrypt the passwords.

So, I do as following

When creating users, encrypt their passwords using md5 function (e.g. $pass = md5($pass))
When authenticating:

On yourproject/protected/components/CUserIdentity, alter the authenticate method.
Retrieve the user model like User::model()->findByAttributes(array("username" => $username))
Compare the password returned (in MD5) with the password given, which you'll have to convert to MD5 too, like this:

if (md5($password) === $user->password)

ooaat · May 27, 2009, 2:58pm

Thanks for your post…

My application is using the md5 approach that you mention but it seems too basic and simple for hackers. md5 isnt the hardest this to crack in the world. So I had a look at what some of the other frameworks do. I noticed symfony sfguard plugin must use an algorithm and either sha1 or md5 to make it a little harder for the hacker or prying eyes to view.

That's when i had a look at CSecurityManager and thought maybe Yii offers something similar.

I thought a good approach was to generate a key (save to database) and use this to hash password. Then we you login a user you would do the same approach as mentioned above but call for the generated key to make sure the passwords match.

its early in the morning for me so I hope that all made sense

sluderitz · May 27, 2009, 7:51pm

Usually you would use some random "salt" prepended to the password before hashing. Your hash will also have that salt prepended (its needed to hash a user submitted password for comparison) Have a look at the crypt function in PHP. The problem is that crypt could use different hashing algorithms depending on the algorithms available on the platform. So you could use my crypt function:

To check a password you would do this:

rickgrana · May 29, 2009, 6:13pm

ooaat, MD5 is almost IMPOSSIBLE to hack. It is unidirecional (just encrypt)

And, if it has some kind of vulnerabilty, keep sure that md5 will still be more secure than any bidirectional algorithm.

romanoza · May 29, 2009, 6:32pm

Quote

ooaat, MD5 is almost IMPOSSIBLE to hack. It is unidirecional (just encrypt)

And, if it has some kind of vulnerabilty, keep sure that md5 will still be more secure than any bidirectional algorithm.

to hack it you can use dictionary

i recommend to add some secret string to pass (md5("secret_string".$pass))

ooaat · May 29, 2009, 6:35pm

Cheers romanoza,

That's exactly what i have done and works well.

Thanks to all

rickgrana · May 30, 2009, 1:25am

You are right. Is really a good approach to append an own key to the string.

Quote

ooaat, MD5 is almost IMPOSSIBLE to hack. It is unidirecional (just encrypt)

And, if it has some kind of vulnerabilty, keep sure that md5 will still be more secure than any bidirectional algorithm.

to hack it you can use dictionary

i recommend to add some secret string to pass (md5("secret_string".$pass))