what are yii2 default password encryption specs?

pommeverte · September 30, 2016, 3:02pm

Hey guys,

I’ve had a look in the code for the Security class but I will admit that it’s still a little nebulous.

I’m looking for encryption options (default and optional) for the password hashing/encryption.

I currently have a requirement for AES-256 level encryption on passwords and was wondering what yii2’s default was. My current assumption is that yii2 uses blowfish cypher by default which would be equivalent to AES-128 I think? (blowfish-cbc-plain:sha?)

How would one alter the configuration to bump this up? I can see that Security supports greater cypher options which is what has me confused. Not sure I fully grasp the order of things, which cypher is used on salt/hash/etc.

Any clarification would be great. Thanks guys.

PS: if simply pointing me in the right direction is easier for you. I’m looking to implement aes-cbc-plain/essiv:sha256 with a 512-bit key if that’s even an option. If you can tell me where to look to accomplish that it would be more than enough.

pommeverte · September 30, 2016, 4:21pm

Ok I’m adding more as I go.

From my understanding, the Salt is generated via Openssl random pseudo bytes. The hash is generated using bcrypt or blowfish (PASSWORD_DEFAULT). I can’t seem to find mention of the key size anywhere though. Also it doesn’t seeem like I can change this without overloading Security.

Also I don’t think I have any AES options here? Still confused Maybe AES is just a terrible idea for passwords.

softark · September 30, 2016, 10:09pm

http://www.yiiframework.com/doc-2.0/yii-base-security.html

See ‘$allowedCiphers’ and ‘$cipher’.

I think you can configure the Security component to satisfy your needs very easily.