PHP密码保护足够安全
[英]PHP password protection secure enough
问题描述
Before I start I'd like to apologise for bringing up this subject once again, as many users did, but with a research I did, I wasn't happy with what I've found. 
在我开始之前,我想再次提出这个问题而道歉,正如许多用户所做的那样,但通过我做过的研究,我对我发现的内容并不满意。 I just hope to come up with something really helpful here. 我只希望能在这里找到一些非常有用的东西。
Since md5 or sha1 are considered bad practice (even when using salts ???), I have tried to create this function for hashing my password 因为md5或sha1被认为是不好的做法(即使使用salt ???),我也试图创建这个函数来哈希我的密码
$password = $_POST['password']; // lets say that my password is: my_sercretp@ssword123
function encrypt_the_password($password){
$salt = "lorem_ipsumd0l0rs1t@m3tc0ns3ct3tur@d1p1sc1ng3lit";
return hash('sha256', $salt.$password);// can use also different algorithm like sha512 or whirlpool
}
$hashed_password = encrypt_the_password($password);
Note that this one I use it in a personal website with only one user, me. 请注意,这个我在一个只有一个用户的个人网站上使用它,我。 In case of having more than one users I come up with something like this: 如果有多个用户,我会想出这样的事情:
$password = $_POST['password'];
function generate_salt() {
$salt = uniqid(md5("lorem_ipsumd0l0rs1t@m3tc0ns3ct3tur@d1p1sc1ng3lit".microtime()));
$salt = hash('sha256', $salt);// can use also different algorithm like sha512 or whirlpool
return $salt;
}
function encrypt_the_password($password,$salt){
return hash('sha256', $salt.$password);// can use also different algorithm like sha512 or whirlpool
}
$hashed_password = encrypt_the_password($password,generate_salt());
Is this secure enough (in each case) or can this improved more??? 这是否足够安全(在每种情况下)或者这可以改善更多???
MY EDIT: I tried to come up with something new using the crypt() function. 我的编辑:我尝试使用crypt()函数提出一些新的东西。 Here's my code in case of having a site with only one user, admin: 这是我的代码,如果网站只有一个用户,admin:
$password = $_POST['password'];
$salt = "L0r3mIpsUmD0l0rS1tAm3t";
$hashed_password = crypt($password', '$2a$12$' . $salt);
and in case of having a site with more than one users: 如果网站有多个用户:
$password = $_POST['password'];
function generate_salt() {
$salt = uniqid(sha1("L0r3mIpsUmD0l0rS1tAm3tc0ns3CT3tur4d1p1sc1ng3lit".microtime()));
$salt = substr(sha1($salt), 0, 22);
return $salt;
}
$hashed_password = crypt($password', '$2a$12$' . generate_salt());
Is this ok or needs improvements??? 这样可以还是需要改进???
2 个解决方案
解决方案1
6 已采纳 2013-03-29 08:38:42
Improve it by not making up your own algorithm. 通过不编写自己的算法来改进它。 Your algorithm is insecure because your salt is constant and you only hash with one iteration of SHA256, which is computationally cheap. 你的算法是不安全的,因为你的salt是常量的,你只需要使用SHA256的一次迭代进行散列,这在计算上很便宜。
Instead, use Bcrypt , which is both computationally expensive and verified by people who know what they're doing, so it's much safer than your solution. 相反,使用Bcrypt ,这在计算上既昂贵又由知道他们正在做什么的人验证,所以它比你的解决方案更安全。
解决方案2
3 2013-03-29 08:38:07
You should use the password functions that will come inbuilt in PHP 5.5. 您应该使用PHP 5.5中内置的密码函数。 There's a fallback library by ircmaxell that can provide the functions in earlier versions of PHP: https://github.com/ircmaxell/password_compat ircmaxell有一个回退库,它可以提供早期版本的PHP中的函数: https : //github.com/ircmaxell/password_compat
It will always use the most recent hashing technique available, and in case even update the records for you. 它将始终使用最新的哈希技术,以防万一甚至为您更新记录。 Make sure you read the README coming along with this library. 请务必阅读此库附带的README。
Do not make your own hashing function. 不要自己进行散列函数。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.