Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

In MVC architecture, where should password encryption take place

I'm working on creating basic password security on a medium size PHP CodeIgniter website. I need to start encrypting password that are being saved into a database. User passwords can be inserted using different methods including CSV import or an individual sign up approach.

Therefore I just want to know at what is the correct level in a MVC system where a password should be encrypted?

like image 782
GrayB Avatar asked May 31 '12 15:05

GrayB


People also ask

Should password be encrypted in frontend or backend?

Frontend or Backend? The backend. If you only hash them in the frontend, you are vulnerable to a pass the hash attack. The reason that you hash passwords in your database is to prevent an attacker who already compromised your database from using those passwords.

Where is the encrypted password of a user stored?

Traditionally, the /etc/passwd file is used to keep track of every registered user that has access to a system. The /etc/passwd file is a colon-separated file that contains the following information: User name. Encrypted password.

When should I encrypt the password?

Encryption is most effective when users create robust, unique passwords for every account. For example, a random 32-character password with letters, numbers, and special characters hashed and salted is near impossible to guess or decode, even using a computer!

How does encryption work with passwords?

Encryption scrambles your password so it's unreadable and/or unusable by hackers. That simple step protects your password while it's sitting in a server, and it offers more protection as your password zooms across the internet. Imagine that you've created the strongest password possible.


1 Answers

The only time you need to perform this function is when adding a new user or updating the password for an existing user. Both of these functions should be performed by the User model. For example, something like:

$user = new User();
$user->setName('...');
$user->setPassword('...');
$user->save();

or:

$user = User::find('...');
$user->setPassword('...');
$user->save();

In this example, the setPassword() method would do the actual encryption.

Also, think of it this way -- it shouldn't be possible to get an unencrypted password into the system. So, you make the User model the only way to interact with users, and have it transparently encrypt all passwords given to it.

like image 160
Alex Howansky Avatar answered Oct 05 '22 13:10

Alex Howansky