php/yii2
1
0
Fork 0
mirror of https://github.com/yiisoft/yii2.git synced 2025-08-15 06:40:59 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
yii2/docs/guide/security-passwords.md
Pavel Dovlatov bdb7c64910 Update to https protocol for php.net links (#17168) [skip ci] 
* Updated php.net link for some MemCache properties [skip ci]

* Changed protocol to https for links to php.net in comments

* Changed protocol to https for links to php.net in code

* Changed www.php.net (http) to secure.php.net (https) in comments

* Changed www.php.net (http) to secure.php.net (https) in code

* Changed protocol to https for links to php.net in UPGRADE.md

* Changed protocol to https for links to pecl.php.net in comments

* Changed us.php.net to secure.php.net (https) in comments

* Changed protocol to https for links to php.net in docs

* Changed www.php.net (http) to secure.php.net (https) in docs

* Changed protocol to https for links to pecl.php.net in docs

* Changed ru/jp.php.net to secure.php.net (https) in docs

Don't sure about russian guide: is this links meant to be for guide on russian, or not?
2019-02-28 13:09:27 +03:00

1.4 KiB
Raw Blame History

Working with Passwords

Most developers know that passwords cannot be stored in plain text, but many developers believe it's still safe to hash passwords using md5 or sha1. There was a time when using the aforementioned hashing algorithms was sufficient, but modern hardware makes it possible to reverse such hashes and even stronger ones very quickly using brute force attacks.

In order to provide increased security for user passwords, even in the worst case scenario (your application is breached), you need to use a hashing algorithm that is resilient against brute force attacks. The best current choice is bcrypt. In PHP, you can create a bcrypt hash using the crypt function. Yii provides two helper functions which make using crypt to securely generate and verify hashes easier.

When a user provides a password for the first time (e.g., upon registration), the password needs to be hashed:

$hash = Yii::$app->getSecurity()->generatePasswordHash($password);

The hash can then be associated with the corresponding model attribute, so it can be stored in the database for later use.

When a user attempts to log in, the submitted password must be verified against the previously hashed and stored password:

if (Yii::$app->getSecurity()->validatePassword($password, $hash)) {
    // all good, logging user in
} else {
    // wrong password
}