eokorie wrote
> I have successfully managed to implement zfcUser in a project I am working
> on. BUt I do have one question, is there a way I can change the password
> hashing mechanism. I have read the documentation that came with zFcUser
> and I am aware of the risks involved, but for this purpose, I am trying to
> keep the passwords the same as they are for the time being until I am
> convert all my users to a more secure method.
>
> The current password system, makes use of a random salt that gets
> encrypted with sha1 and in turn the passwords in encrypted with the salt
> and again with sha1.
>
> Essentially, the basics of the current encryption system are as follows:
>
> 1. random salt ($salt) is encrypted $encrypted_salt = sha1($salt)
> 2. Submitted password get encrypted along with sha1($encrypted_salt .
> $givenPassword)
>
> How can I modify zfcUser to allow me to keep this method of encrypting my
> passwords?
>
> Many Thanks
Hi,
afaik zfcUser use Bcrypt for manage password
you can peep it in
ZfcUser\Authentication\Adapter Db
authenticate
$fields = $this->getOptions()->getAuthIdentityFields();
while ( !is_object($userObject) && count($fields) > 0 ) {
$mode = array_shift($fields);
switch ($mode) {
case 'username':
$userObject =
$this->getMapper()->findByUsername($identity);
break;
case 'email':
$userObject =
$this->getMapper()->findByEmail($identity);
break;
}
}
$bcrypt = new Bcrypt();
$bcrypt->setCost($this->getOptions()->getPasswordCost());
if (!$bcrypt->verify($credential,$userObject->getPassword())) {
// Password does not match
$e->setCode(AuthenticationResult::FAILURE_CREDENTIAL_INVALID)
->setMessages(array('Supplied credential is invalid.'));
$this->setSatisfied(false);
return false;
}
--
View this message in context:
http://zend-framework-community.634137.n4.nabble.com/ZfcUser-Password-Hash-Mechanism-Change-tp4659332p4659335.html
Sent from the Zend Framework mailing list archive at Nabble.com.
--
List: [email protected]
Info: http://framework.zend.com/archives
Unsubscribe: [email protected]
