Yii2用户名和密码加密 [英] Yii2 Username and password encryption

问题描述

几天前我已经扫描了我的yii2应用程序，并注意到登录表单中的用户名和密码没有加密。我如何使我的用户名和密码更安全？我知道 \yii\helpers\Security :: encrypt（$ data，$ secretKey）将加密数据， similiary我们可以解密它。但是如何在登录表单中使用它？

I had scanned my yii2 application few days before and noted that username and passwords from the login form is posting without any encryption. How can i make my username and password more secure?I know \yii\helpers\Security::encrypt($data, $secretKey) will encrypt the data and similiary we can decrypt it. But how to use it in a view like login form?

这是我的登录表单

    <?php $form = ActiveForm::begin(['id' => 'login-form']); ?>
    <?= $form->field($model, 'username') ?>
    <?= $form->field($model, 'password')->passwordInput() ?>
    <div class="form-group">
    <?= Html::submitButton('Login', ['class' => 'btn btn-info']) ?>
    </div>
    <?php ActiveForm::end(); ?>

如何处理用户输入数据的加密？

How to handle the encryption of user entered data here?

推荐答案

由于Sisko78 在其评论中声称，客户端的哈希密码在安全性方面不会有太多帮助，但可以做很多的损害（如果有人在浏览器中转换了JavaScript，那么它们通常会被拧紧，因为您的服务器将无法正确处理不散列数据）。

As Sisko78 claims in its comment, hashing password on client side won't do much help in terms of security, but can do a lot of harm (if someone turns of Javascript at all in their browser, they're generally screwed, as your server won't be able to correctly process not hashed data).

我有这个问题非常类似的问题，并且被赋予了这个很棒的答案。一般来说：

I have asked very similar question on this matter and was given this great answer. In general:

从攻击者的角度来看，无论是发送纯文本密码还是MD5哈希，或者没有太大的区别...）

From the attacker's standpoint, whether you send a plain text password or a MD5 hash or it doesn't make much difference (...)

此答案包括对MD5哈希的引用，因为我专门询问了这一个。但是，它与事实没有任何关系，MD5现在被视为非常不安全。就你的（我的）问题来说，使用任何一种客户端密码的功能是不安全的，没有加密密码。而唯一真正安全的选项是使用HTTPS协议。阿门。

This answer includes reference to MD5 hash, because I asked specifically for this one. But, it does not have any relation to the fact, that MD5 is now treated as very insecure. In terms of your (mine) question, using any kind of client-side password hasing is as insecure as not hashing password at all. And the only really secure option is to use HTTPS protocol. Amen.

这篇关于Yii2用户名和密码加密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！