问题描述
几天前我扫描了我的 yii2 应用程序,并注意到登录表单中的用户名和密码是在没有任何加密的情况下发布的.我怎样才能让我的用户名和密码更安全?我知道 yiihelpersSecurity::encrypt($data, $secretKey) 会加密数据,我们也可以解密.但是如何在像登录表单这样的视图中使用它?
这是我的登录表单
'login-form']);?><?= $form->field($model, 'username') ?><?= $form->field($model, 'password')->passwordInput() ?><div class="form-group"><?= Html::submitButton('登录', ['class' => 'btn btn-info']) ?><?php ActiveForm::end();?>
这里如何处理用户输入数据的加密?
正如 Sisko78 在其评论中声称的那样,客户端的散列密码在安全性方面没有太大帮助,但可以做到很多危害(如果有人在他们的浏览器中完全使用 Javascript,他们通常会被搞砸,因为您的服务器将无法正确处理未散列的数据).
我在这个问题上问了非常相似的问题,并得到了这个很好的答案.一般来说:
<块引用>从攻击者的角度来看,无论您发送纯文本密码还是 MD5 哈希,都没有太大区别 (...)
这个答案包括对 MD5 哈希的引用,因为我是专门针对这个问题询问的.但是,它与 MD5 现在被视为非常不安全的事实没有任何关系.就您的(我的)问题而言,使用任何类型的客户端密码都与根本不散列密码一样不安全.而且唯一真正安全的选择是使用 HTTPS 协议.阿门.
I had scanned my yii2 application few days before and noted that username and passwords from the login form is posting without any encryption. How can i make my username and password more secure?I know yiihelpersSecurity::encrypt($data, $secretKey) will encrypt the data and similiary we can decrypt it. But how to use it in a view like login form?
This is my login form
<?php $form = ActiveForm::begin(['id' => 'login-form']); ?>
<?= $form->field($model, 'username') ?>
<?= $form->field($model, 'password')->passwordInput() ?>
<div class="form-group">
<?= Html::submitButton('Login', ['class' => 'btn btn-info']) ?>
</div>
<?php ActiveForm::end(); ?>
How to handle the encryption of user entered data here?
As Sisko78 claims in its comment, hashing password on client side won't do much help in terms of security, but can do a lot of harm (if someone turns of Javascript at all in their browser, they're generally screwed, as your server won't be able to correctly process not hashed data).
I have asked very similar question on this matter and was given this great answer. In general:
From the attacker's standpoint, whether you send a plain text password or a MD5 hash or it doesn't make much difference (...)
This answer includes reference to MD5 hash, because I asked specifically for this one. But, it does not have any relation to the fact, that MD5 is now treated as very insecure. In terms of your (mine) question, using any kind of client-side password hasing is as insecure as not hashing password at all. And the only really secure option is to use HTTPS protocol. Amen.
这篇关于Yii2 用户名密码加密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!