Yii Phpass ¶
Yii Phpass is a simple wrapper around Phpass 0.3. ¶
Strong recommendation is to keep the configuration setting 'hashPortable' as 'false' with PHP 5.3 and/or Suhosin Patch.
The other configuration setting 'hashCostLog2' with a setting of around 12 will be quite slow and secure. A value of 10 could be a decent compromise here.
Requirements ¶
- Yii <= 1.1.13; for 1.1.14+, Please Use CPasswordHelper
- PHP 5.3, A Newer Version Or Suhosin Enabled
Installation ¶
- Extract the release file under
protected/extensions/phpass - Add a line to your configuration file to import the extension, inside the import array:
'import'=>array(
//...
'application.extensions.phpass.*',
),
- Add to your main.php file within your Yii project, inside the components array:
'components'=>array(
//...
'hasher'=>array (
'class'=>'Phpass',
'hashPortable'=>false,
'hashCostLog2'=>10,
),
),
Usage ¶
Access the Phpass object:
Yii::app()->hasher
For a New Password:
$theirHashToStore = Yii::app()->hasher->hashPassword($theirPassword);
Authenticate an Existing Password:
$isValid = Yii::app()->hasher->checkPassword($theirPassword, $theirStoredHash);
- Updated release to version 0.12 - fixed security hole in PHPass source
- GitHub
Settings
What about phpass settings? I mean iteration count and hashes portability arguments in PasswordHash class constructor.
re: Settings
Hi resurtm,
I have updated the docs a bit to include some installation instructions.
bug notice (in PHPAss itself)
Hi,
Just reported a bug in PHPAss but I wanted to inform users here about it.
In short, I had a bug in my application in which when I compared the passwords during login, I gave null as the hashed password parameter. The bug is that PasswordHash->CheckPassword() returned "valid" on this situation, in effect accepting any password the user inputted! Luckily I had caught this very early in my development.
EDIT: link to bug was bad. Will try to somehow open a bug and if successful I'll quote it here.
EDIT(2): Ok, submitted a bug by email, hopefully to the relevant location. Lets see what the response will be.
EDIT(3): Problem solved:
First, the solution: Edit PasswordHash.php class, which is included in the PHPAss extension, edit method CheckPassword() (notice the capital first letter). Change the last line to use '===' instead of '=='.
Synopsis: The following information was given by Alexander, a developer that works on PHPAss. Problem is in PHP actually, and to be exact (and we need to be exact here) its PHP package for Ubuntu 11.04, 64, of package libapache2-mod-php5 v5.3.5-1ubuntu7.7. This version is slightly old and includes a bug in php's crypt() function. The bug is related to "php_crypt_revamped.patch" issue in PHP (didn't dive into the details).
So the bug is in PHP, and applies to some versions of PHP on ubuntu (possibly on other Linux or OS) but the workaround is given in the solution above.
Good luck with it!
Edit(4): Some more details on a security notification on Openwall Linux distro: http://www.openwall.com/lists/oss-security/2012/05/04/7
FYI!
Boaz.
re: bug notice (in PHPAss itself)
@boaz - Thanks. I've orphaned the code in the phpass source, and provided a version 0.12 update to the Yii extension, which references the orphaned phpass code.
Any problems, please let me know ASAP.
Requirements
This one is a bit wierd:
> PHP 5.3 or Suhosin Patch strongly recommended
To my knowledge, v5.3 has been the last version with a working suhosin patch.
re: Requirements
@Da:Sourcerer -- Thanks for pointing this out. That was derived from the phpass website: http://www.openwall.com/phpass/
What should the requirements be?
Re[2]: Requirements
I think it's simply a matter or rephrasing:
It also wouldn't hurt to mention [CPasswordHelper]. (And yes, I'll update my article soon as well)
Re[3]: Requirements
Done; added reference to CPasswordHelper for Yii >= 1.1.14.
Made some modifications
Thank you for putting this together. I made some modifications to your code, which you can see here:
http://pastebin.com/AbRcGLv2
I typically don't like putting (external) vendor libraries in my extensions directory, because I feel that defeats the purpose of the vendors directory. So I added a $libPath property, which is pretty standard practice from what I've seen in other extensions. I also made some other modifications, which you can see in the pastebin URL.
Also, instead of having to add a line in your list of imports, all you really need to do is this:
'hasher' => array( 'class' => 'ext.phpass.Phpass', 'libPath' => 'application.vendors.phpass.PasswordHash', 'hashPortable' => false, 'hashCostLog2' => 10 )I hope this helps. Thanks again for whipping this up.
If you have any questions, please ask in the forum instead.
Signup or Login in order to comment.