Search code examples
phpsecurityencryptionpassword-protectionyii2

Yii2 Username and password encryption


I had scanned my yii2 application few days before and noted that username and passwords from the login form is posting without any encryption. How can i make my username and password more secure?I know \yii\helpers\Security::encrypt($data, $secretKey) will encrypt the data and similiary we can decrypt it. But how to use it in a view like login form?

This is my login form

    <?php $form = ActiveForm::begin(['id' => 'login-form']); ?>
    <?= $form->field($model, 'username') ?>
    <?= $form->field($model, 'password')->passwordInput() ?>
    <div class="form-group">
    <?= Html::submitButton('Login', ['class' => 'btn btn-info']) ?>
    </div>
    <?php ActiveForm::end(); ?>

How to handle the encryption of user entered data here?


Solution

  • As Sisko78 claims in its comment, hashing password on client side won't do much help in terms of security, but can do a lot of harm (if someone turns of Javascript at all in their browser, they're generally screwed, as your server won't be able to correctly process not hashed data).

    I have asked very similar question on this matter and was given this great answer. In general:

    From the attacker's standpoint, whether you send a plain text password or a MD5 hash or it doesn't make much difference (...)

    This answer includes reference to MD5 hash, because I asked specifically for this one. But, it does not have any relation to the fact, that MD5 is now treated as very insecure. In terms of your (mine) question, using any kind of client-side password hasing is as insecure as not hashing password at all. And the only really secure option is to use HTTPS protocol. Amen.