Final Thoughts Concerning Security of Our Yii Apps
I know there are developers busting out of their cargo pants and skinny jeans at my proposition of not salting the password process. My opinion is that the constraints of the application you are building should dictate what you do. Yii has enough inherent security in this process to stave off many attacks our application could face.
Further, in theory, it is near impossible (if not impossible) to de-crypt an md5 hash. There are things called rainbow tables which can be used to attack one-way hashed passwords. However, the chances of being successful with this is about the same as hitting the lottery, which — while possible — is so unlikely that your probability is effectively zero.
Salting our tables makes a near impossible probability practically impossible, if not impossible. The maxim of internet security we visited here is “security in layers.” The number of layers we should utilize depends on the pragmatic concerns of the project. Like Larry Ullman’s wonderful tutorial on supplying custom error messages after failed authentication attempts (This actually relinquishes another layer of Yii’s security.), we may have justifictions to enable less secure features for our users’ and app’s benefit.
