-
Notifications
You must be signed in to change notification settings - Fork 52
Store Your Password
- Your password will be stored to our DB securely with latest technology.
- Your password will be hashed (simply: encrypted) and won't be decrypted by author or attacker.
- Nevertheless, create a password that is strong enough.
Yes, of course.
Our system "encrypts(*)" your password with a "hash function" based on the latest technology and stores it. Once hashed, no one can access to your raw password (including the author).
At this time, your password will be hashed using the Argon2id algorithm.
And it will be updated accordingly if necessary.
(*) "encrypt": Technically, the "encrypt" is not the correct term.
If our database is leaked due to some kind of accident, the hashed password will be known to the attacker ("cracker", maybe you know as a "hacker").
They'll try to get your password to log in to our website or for another purpose, but it is impossible in the realistic time.
However, if you use a sufficiently simple password (e.g., "password", "qwerty1234"), the attacker will be able to log in quickly by trying them first.
So, you should use strong password and don't use same the password with another website or application.
- All characters can be used. (Even you can use emoji 😀, kanji 漢字, Arabic alphabet العَرَبِيَّة and so on if the browser allows.)
- 8 characters or more (recommended: 10 characters or more)
- The maximum number of characters is not defined (Accepts up to a few megabytes, but have not tested. I believe no one is using such a password.)
- Use the password generator that built in to the browser.
- Use the password generator that built in the password manager software.
- Use the password generator that provided on the web like 1Password's.
When you register to our system, your data is processed by app\models\RegisterForm.
If the input content is validated, the toUserModel method will be called.
In the method, Password::hash() is called and your password will be hashed.
Here is the implementation of the Password::hash() function.
In the current environment, the Argon2id algorithm is selected as described above.
In the past, Bcrypt and Arigon2i algorithms were selected.
The preprocess method does nothing with the Argon algorithms.
The Bcrypt algorithm used preprocessing to ease the restrictions(*).
(*) Bcrypt restrictions: If simply use the Bcrypt algorithm, the maximum password length is limited to 72 characters.
When a new hash function becomes available in our system, it will be stored to the database using the new hash function at the time of new registration.
For passwords stored in the past, we cannot update "hashed value of your password" because we cannot know the actual password.
Those passwords will be upgraded when you log into our system.
This is a best practice as far as I know.
- The password "password" with Argon2id (current algorithm):
$argon2id$v=19$m=65536,t=4,p=1$SFlnLi54UGs5eThVcXo0Nw$ThCfkdY4QB6spqRH5MGY4AHVvQJbnk6atfaPaehZmxM$argon2id$v=19$m=65536,t=4,p=1$QUNIS0xnbUxOVzNzTnNDVw$XALZgNidmKTiRpZmtpNB0PXL5hmJ3tOapAvzVMlHu4E$argon2id$v=19$m=65536,t=4,p=1$WVdDbHQveFhGdk55Tm8zTw$gVGmuWqDc5VjxVTPKZeg33GBVQ+I/EIiEbkoEWE1cfU$argon2id$v=19$m=65536,t=4,p=1$ZUVVYmhjMzRwanA3NkpxYQ$JSTG3R/loXa4AiWckIbRJRQIiVJUK6U6Zu/9H6PXuII$argon2id$v=19$m=65536,t=4,p=1$QTQ3ZzI2cmRGejQ2aU42RQ$ETaR9g/TC0s6YMI/OEPaUPaWpfaW1OPXVd1BWfUTHgg$argon2id$v=19$m=65536,t=4,p=1$U1lMcmIzTzg0ZU4zbXhKSQ$E0p7qsjYvUs+qBQVVE0L4w/MN4N7HH3Yl1EhMo5Wa3Q$argon2id$v=19$m=65536,t=4,p=1$TWlCcVlyaUttcFUuVEQzTQ$HzSvaWg4yHFYizvrxzyNcsG9BGkXNuWDxuSi35jOooA$argon2id$v=19$m=65536,t=4,p=1$cUs4ODBvdVpiSVdGaS5yaQ$kL3NFgM/i81YSb5YquU+farXD/zAM4uS/sfsw99muIs$argon2id$v=19$m=65536,t=4,p=1$WDZDbWFOcGlDL2FxVGE5Vg$/2ThniDRp5YFvukqhkRaxX6nJbILQdAue8Zlpek+QWI$argon2id$v=19$m=65536,t=4,p=1$ZVdwbUtmLlB5ekV0OHJsbA$o+cfRsHS/qweJb1XqcsxiteGW0yKptR7cDqfpq8gGtM
- The password "password" with Argon2i (old):
$argon2i$v=19$m=65536,t=4,p=1$SGw2SnFyb2cyUmFJWHY4Qw$sYGZCOcPO85mzPGeknNiORMunjtiIA5jGjNj9FtAydU$argon2i$v=19$m=65536,t=4,p=1$Z0JnalF2MHdQcksxOWFQeg$UxpkZs5DjCGwbkyKnYfKe2v/Nuoo2wds/tKzj0Jg8m8$argon2i$v=19$m=65536,t=4,p=1$RlFTOVBLeERsME15ZFpQYw$HO9lwZfkngIYencPKt6W4Tkp8IVvkknh2HIpeg1ogv8$argon2i$v=19$m=65536,t=4,p=1$RjJEbHNuNmR0cVFJZ2ZrMw$YutIQ2VzP2zp86cZboIo8L2V4mB8za99z47gnfnSVu0$argon2i$v=19$m=65536,t=4,p=1$OTZLSHgyYjR0VW5Zb3g3SQ$sc5Q5gnnEvsQpEuKPjEaqLJnaC1Tz34IQvavm8tVXdc$argon2i$v=19$m=65536,t=4,p=1$dGtSRzh5QVhSZmR3WXBtbw$jaOpsDT44avbJph3qTcKLiMsXOHOxgY+LT4hcqJh0vU$argon2i$v=19$m=65536,t=4,p=1$OS5QS1g3cGRWSEhFdUhGdQ$Bu6MwA+dH1WEeDPmexuiOaofTTS1QdFWMZ4WqCqlQB4$argon2i$v=19$m=65536,t=4,p=1$aG16b1VTZ2FnMGJ4QjNjSw$JGdkoA1xnI5UQdeDIBsHvWwlB6xrPM3dOP1fvtSSbHQ$argon2i$v=19$m=65536,t=4,p=1$MFVhR0Jsc1hHVUJiby5maw$4WOfeS0sJeEgY12kGh2ZsOG9qkKrf1ofP1KXgXtJgMw$argon2i$v=19$m=65536,t=4,p=1$cDBnNk5rdE1ObVR3cndOLg$/KkEJ8PJtooVRf97BnPG6Cxon1/WnOnpX4P8vKGc1II
- The password "password" with Bcrypt (old):
$2y$10$AD6B1IUeaOSDgfNb7WCMreEgAJXMfMC8EEqP6xAcDI8zcPQUzd3dy$2y$10$yIiW9oaxz3XbgS4jnnz8BeQhfVtqqtDPqzKwmgmV/B82NGLoQr/b.$2y$10$0kUDmPjTeHAvk9iyGJu6z.CbGEcRwz1WIPc9/4QAilv/5nyo/0m7K$2y$10$zJlOPgA1KT16H5CNWOTR2.XH.mewz3w9RUwW1jrB/J5Qct/QUKbtq$2y$10$CsnhK2ILWb4EgIFUS/5yAOCQoXjWjbOYNxpZFDXtivnc10m3EyjJ.$2y$10$LTUzO.gIL/VO/Z7UfGKeROnE3CAW2th3Xe4fs3zJfi2y2fA9oeqEe$2y$10$3tDG.f5dVpNhV8n1lP5zieZPs0MdwyqYFPEW2VlJCi/QnDb6F8A4i$2y$10$O/jqMWPiB3PmLRE.dxc0eew4SkU7bPqzbeBYqwxyEkk7pdQ1lL4om$2y$10$8pOdZbxmg/DiiplPcXl9DePqDnrubO185Uc7wMwpAMWHvm4dVfRrW$2y$10$tsE.Gz71hqx76cpb3TJv.uR6c5sw/LEK7xBBttZEtYoFqe.orotMK
Even if you use the same password as someone else, they are stored as different values.
Nevertheless, avoid using simple passwords (e.g., "password", "qwerty").