Difference between #1 and #3 of
Secure password hashing with bCrypt

Changes

Title unchanged

Secure password hashing with bCrypt

Category unchanged

How-tos

Yii version unchanged

Tags unchanged

security, password, hash, hashing, bcrypt, login

Content changed

[...]
$key = uniqid($this->prefix, true);

// 12 rounds of HMAC must be reproduced / created verbatim, no known shortcuts.
// Salsa20 returns more than enough bytes.
for($i = 0; $i < 12; $i++) {
$bytes = hash_hmac('salsa20ha512', microtime() . $bytes, $key, true);
usleep(10);
}
[...]
```

#### UserIdentity - Modify password check to the following static method:
 
 
```php 
} else if (!bCrypt::verify($this->password, $user->password)) {
 
$this->errorCode=self::ERROR_PASSWORD_INVALID;
 
 
```
 
 
 
#### Discussion How does this work? By hooking into the User model's afterValidate() method we can drop in this code without any major changes to the UserIdentity or other components. What happens is that when your login form is submitted the inputs are validated (username, password). If they pass validation, the password value gets sent through the encrypt function and returned as a hash for database comparison. The only remaining work to do is to ensure that your password field in the database is large enough to hold the values. I recommend using char(60) as field type.
5 0
9 followers
Viewed: 38 134 times
Version: 1.1
Category: How-tos
Tags: bcrypt, hash, hashing, login, password, security
Written by: waitforit
Last updated by: Ivo Pereira
Created on: Dec 20, 2011
Last updated: 11 years ago
Update Article
Revert to #1 | Revert to #3

Revisions

View all history