Password Hashing. I feel like I should comment some of the clams being posted as replies here.
For starters, speed IS an issue with MD5 in particular and also SHA1. I've written my own MD5 bruteforce application just for the fun of it, and using only my CPU I can easily check a hash against about 200mill. hash per second. The main reason for this speed is that you for most attempts can bypass 19 out of 64 steps in the algorithm. For longer input (> 16 characters) it won't apply, but I'm sure there's some ways around it. If you search online you'll see people claiming to be able to check against billions of hashes per second using GPUs. Here's why 100 billion per second is an issue: Assume most passwords contain a selection of 96 characters. So on essence: There's a reason why newer hash algorithms are specifically designed not to be easily implemented on GPUs. Oh, and I can see there's someone mentioning MD5 and rainbow tables. Crypt. Crypt — One-way string hashing Description ¶ string crypt ( string $str [, string $salt ] ) The salt parameter is optional.
However, crypt() creates weak password without salt. PHP 5.6 or later raise E_NOTICE error without it. Password_hash() uses strong hash, generates strong salt, applies proper rounds automatically. password_hash() is simple crypt() wrapper and compatible with existing password hashes. Some operating systems support more than one type of hash. The standard DES-based crypt() returns the salt as the first two characters of the output. On systems where the crypt() function supports multiple hash types, the following constants are set to 0 or 1 depending on whether the given type is available: CRYPT_STD_DES - Standard DES-based hash with a two character salt from the alphabet "./0-9A-Za-z". Note: As of PHP 5.3.0, PHP contains its own implementation and will use that if the system lacks of support for one or more of the algorithms. Parameters ¶ str The string to be hashed. Registration Forms. Q-efx, on 17 August 2009 - 12:08 AM, said: Eh?
I am not quite sure if I understand you right But dictionary attacks comes through your websites. Not your database ( you should only allow one ip to access the db ) And as long users enter there data in "clear" forms. It doesn't matter how "good" your database data is encrypted. I'm sorry about the length of the information (but it's condensed from about 6 or 7 articles of information). At any rate, first off yes, dictionary attacks are performed through the site, that's why it's imperative that you protect your site from those situations. But it doesn't just stop there. That being said, based on the type of encryption / hashing you use, you have greater chances at protecting yourself. Now by salting a hash, what you effectively do is create a different partial string to perform with the hash.
But as time goes on, these methods of encryption and hashing will become vulnerable. Authentication and Authorization. Authentication and authorization are required for a Web page that should be limited to certain users.
Authentication is about verifying whether someone is who they claim to be. It usually involves a username and a password, but may include any other methods of demonstrating identity, such as a smart card, fingerprints, etc. Authorization is finding out if the person, once identified (i.e. authenticated), is permitted to manipulate specific resources. This is usually determined by finding out if that person is of a particular role that has access to the resources. Yii has a built-in authentication/authorization (auth) framework which is easy to use and can be customized for special needs. The central piece in the Yii auth framework is a pre-declared user application component which is an object implementing the IWebUser interface. 1. As mentioned above, authentication is about validating the identity of the user. We define an identity class which contains the actual authentication logic.