简体繁体 English

如何通过PHP验证密码？

[英]How can I validate a password via PHP?

原文 2016-05-31 20:52:41 0 1 php/ validation/ security

I know that to store a password you have to hash it. 我知道要存储密码，您必须对其进行哈希处理。 I use password_hash and password_verify to do it. 我使用password_hash和password_verify来做到这一点。

But I am surprised that some people say that you do not need to validate a password before hash it, because you are going to hash it anyway. 但是令我惊讶的是，有人说您不需要在对密码进行哈希处理之前就对其进行验证，因为无论如何您都将对哈希进行哈希处理。

I think that at least it would be good practice to validate that the user enters a password with length more than an amount of characters or to make the user to input a special character ( * , " , ' , etc). At least to make the password strong. 我认为，至少要验证用户输入的密码长度超过字符数，或者让用户输入特殊字符（ * ， " ， '等），至少是一个好习惯。密码强。

So here I have some questions: 所以在这里我有一些问题：

Is it considered a good practice not validate anything about the password and only hash it? 是否不对密码进行任何验证而仅对密码进行散列是一种好习惯吗？
Has an additional security to make a validation before hash the password? 在散列密码之前是否还有其他安全措施可以进行验证？
If so, what should be considered in that validation? 如果是这样，那么在该验证中应考虑什么？

Note: I want to know all of these questions from security point of view. 注意：我想从安全角度了解所有这些问题。

Thanks in advance! 提前致谢！

1 个解决方案

Password strength requirements are context sensitive. 密码强度要求是上下文相关的。 You don't talk about your context. 您不会谈论自己的背景。

Normally I would set a minimun length, and compute some sort of complexity index, so as to prevent people from entering 'aaaaaaaa' or '12345678'. 通常，我会设置一个最小长度，并计算某种复杂性指数，以防止人们输入“ aaaaaaaa”或“ 12345678”。

But password strength requirements are annoying, especially when you dictate many rules. 但是密码强度要求很烦人，特别是当您规定许多规则时。

I often try to implement another strategy: I choose the password for my visitors. 我经常尝试实施另一种策略：选择访问者的密码。 This is not a new idea; 这不是一个新的想法; Think about the personal identification number for a credit card. 考虑一下信用卡的个人识别码。 This has many benefits: 这有很多好处：

My visitors don't have to choose a password, something they often find awkward. 我的访客不必选择密码，他们通常会觉得很尴尬。
I definitely control the complexity of the passwords. 我绝对控制密码的复杂性。
I cannot possibly know the often used password of my visitors (and hack their accounts on other sites). 我可能无法知道访客的常用密码（并在其他站点上破解他们的帐户）。

There's also a downside: The visitor has to 'remember' the password I chose. 还有一个缺点：访问者必须“记住”我选择的密码。 Keep it simple. 把事情简单化。 A four digit PIN already has 10000 variants. 一个四位数的PIN码已具有10000个变体。 To prevent abuse I limit the number of tries. 为了防止滥用，我限制了尝试次数。

For sites that needs to be very secure you could increase the complexity of the password and reissue passwords regularly. 对于需要非常安全的网站，您可以增加密码的复杂性并定期重新发出密码。 Do not store the password in your database, only store a salted hash. 不要将密码存储在数据库中，而只能存储加盐的哈希。 Don't email the password but show it in a SSL secured HTML page. 不要通过电子邮件发送密码，而是将其显示在受SSL保护的HTML页面中。 If the security requirements aren't that high you can ignore some of these rules. 如果安全要求不是很高，则可以忽略其中一些规则。