php/yii2
1
0
Fork 0
mirror of https://github.com/yiisoft/yii2.git synced 2025-10-31 10:39:59 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
yii2/docs/guide/security-passwords.md
Pavel Dovlatov bdb7c64910 Update to https protocol for php.net links (#17168) [skip ci] 
* Updated php.net link for some MemCache properties [skip ci]

* Changed protocol to https for links to php.net in comments

* Changed protocol to https for links to php.net in code

* Changed www.php.net (http) to secure.php.net (https) in comments

* Changed www.php.net (http) to secure.php.net (https) in code

* Changed protocol to https for links to php.net in UPGRADE.md

* Changed protocol to https for links to pecl.php.net in comments

* Changed us.php.net to secure.php.net (https) in comments

* Changed protocol to https for links to php.net in docs

* Changed www.php.net (http) to secure.php.net (https) in docs

* Changed protocol to https for links to pecl.php.net in docs

* Changed ru/jp.php.net to secure.php.net (https) in docs

Don't sure about russian guide: is this links meant to be for guide on russian, or not?
2019-02-28 13:09:27 +03:00

32 lines
1.4 KiB
Markdown
Raw Blame History

Working with Passwords
======================
Most developers know that passwords cannot be stored in plain text, but many developers believe it's still safe to hash
passwords using `md5` or `sha1`. There was a time when using the aforementioned hashing algorithms was sufficient,
but modern hardware makes it possible to reverse such hashes and even stronger ones very quickly using brute force attacks.
In order to provide increased security for user passwords, even in the worst case scenario (your application is breached),
you need to use a hashing algorithm that is resilient against brute force attacks. The best current choice is `bcrypt`.
In PHP, you can create a `bcrypt` hash using the [crypt function](https://secure.php.net/manual/en/function.crypt.php). Yii provides
two helper functions which make using `crypt` to securely generate and verify hashes easier.
When a user provides a password for the first time (e.g., upon registration), the password needs to be hashed:
```php
$hash = Yii::$app->getSecurity()->generatePasswordHash($password);
```
The hash can then be associated with the corresponding model attribute, so it can be stored in the database for later use.
When a user attempts to log in, the submitted password must be verified against the previously hashed and stored password:
```php
if (Yii::$app->getSecurity()->validatePassword($password, $hash)) {
// all good, logging user in
} else {
// wrong password
}
```
Reference in New Issue View Git Blame Copy Permalink