search

nineinchnick / yii2-usr

Yii framework module for user authentication, password reset, registration and profile updating. A port of yii-usr to Yii Framework 2.0.
http://demo2.niix.pl
MIT License
39 stars 8 forks source link

Don't use diceware #40

Closed tom-- closed 9 years ago

tom-- commented 9 years ago

Diceware is insecure. https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

It was rendered obsolete when password crackers started to use lists of words.

I was pleased that yii2-usr failed to install (see below) on this dependency because it drew my attention to it. But you should not include it because other users will not know that it is dangerous.

  Problem 1
    - Installation request for nineinchnick/yii2-usr dev-master -> satisfiable by nineinchnick/yii2-usr[dev-master].
    - nineinchnick/yii2-usr dev-master requires nineinchnick/diceware * -> no matching package found.
tom-- commented 9 years ago

In order to proceed with my testing, I have started removing diceware from my fork. I expect I can provide a PR soon.