Revision #2 has been created by waitforit on Dec 20, 2011, 7:55:14 PM with the memo:
Added password check in UserIdentity component
« previous (#1) next (#3) »
Changes
Title
unchanged
Secure password hashing with bCrypt
Category
unchanged
How-tos
Yii version
unchanged
Tags
unchanged
security, password, hash, hashing, bcrypt, login
Content
changed
[...]
$enc = NEW bCrypt();
return $enc->hash($value);
}
```
#### UserIdentity - Modify password check to the following static method:
```php
} else if (!bCrypt::verify($this->password, $user->password)) {
$this->errorCode=self::ERROR_PASSWORD_INVALID;
```
#### Discussion
How does this work?
By hooking into the User model's afterValidate() method we can drop in this code without any major changes to the UserIdentity or other components. What happens is that when your login form is submitted the inputs are validated (username, password). If they pass validation, the password value gets sent through the encrypt function and returned as a hash for database comparison.
The only remaining work to do is to ensure that your password field in the database is large enough to hold the values. I recommend using char(60) as field type.