安全的密码存储
[英]Secure password storage
问题描述
I'm developing a web service where users must login. 
我正在开发用户必须登录的Web服务。 I will store user data in an SQL database and input/output via PHP . 我将用户数据存储在SQL数据库中,并通过PHP进行输入/输出。 But I don't want to store it openly. 但是我不想公开存储它。 How do I encrypt the passwords in PHP so only those who knows the password can unlock it? 如何使用PHP加密密码,以便只有知道密码的人才能解锁密码?
I know services like phpBB uses some sort of hiding/encryption on stored passwords. 我知道phpBB之类的服务在存储的密码上使用某种隐藏/加密方法。
7 个解决方案
解决方案1
5 2010-12-02 12:14:02
You need to salt and hash the password, using an appropriately secure algorithm. 您需要使用适当的安全算法对密码进行加盐和哈希处理。
- PHP's mhash has appropriate hashing functions PHP的mhash具有适当的哈希功能
- A full example here on SO 关于SO的完整示例
解决方案2
3 已采纳 2010-12-02 13:11:00
The easiest way to get your password storage scheme secure is by using a standard library . 确保密码存储方案安全的最简单方法是使用标准库 。
Because security tends to be a lot more complicated and with more invisible screw up possibilities than most programmers could tackle alone, using a standard library is almost always easiest and most secure (if not the only) available option. 由于安全性往往要比大多数程序员独自解决的情况复杂得多,并且具有更多看不见的破坏可能性,因此使用标准库几乎总是最简单,最安全的(如果不是唯一的)可用选项。
See this answer for more info 查看此答案以获取更多信息
解决方案3
0 2010-12-02 12:12:41
You probably want to hash the password - not encrypt it. 您可能希望对密码进行哈希处理-不对其进行加密。 Check out SHA-1 . 签出SHA-1 。 Hashing means that you cannot retrieve the original data as you can with encryption. 散列意味着您无法像加密一样检索原始数据。 Instead what you do is hash the users input and compare it to the hash in the database to see if they've got the right password. 相反,您要做的是对用户输入的哈希进行哈希处理,并将其与数据库中的哈希进行比较,以查看他们是否具有正确的密码。 Doing this increases security as if your database was ever compromised - a bunch of hashes are useless. 这样做可以提高安全性,就好像您的数据库曾经遭到破坏一样-一堆哈希是无用的。
解决方案4
0 2010-12-02 12:14:47
保存MD5哈希,并使其更安全,添加盐。
解决方案5
0 2010-12-02 12:20:27
Well, you shouldn't encrypt them with MD5 (which is not really secured, most hackers have conversion tables). 好吧,您不应该使用MD5对其进行加密(这并不是很安全,大多数黑客都有转换表)。
Hence, you can hash it with SHA1 (which is usually used). 因此,您可以使用SHA1(通常使用)对其进行哈希处理。
If you want more security, you can add more salt which is a key you can add like this (just an example, usually used) : 如果您需要更高的安全性,则可以添加更多salt ,这是可以添加的密钥 (仅作为示例,通常使用):
salt+sha1(salt+pass)
This combination can be used with many language. 这种组合可以用于多种语言。
解决方案6
0 2010-12-02 12:22:00
Hash passwords in SHA-1 (sha1 php inbuilt function) with several recursions of salting (same code in the answers above, only loop through several times). 在SHA-1(sha1 php内置函数)中散列密码,并重复几次盐析(与以上答案中的相同代码,仅循环几次)。 This should be sufficient protection, so even if the intruders somehow get their hands on the hashes, they shouldn't be able to crack them... 这应该是足够的保护,所以即使入侵者以某种方式掌握了哈希,他们也不应该能够破解它们……
解决方案7
-1 2010-12-02 12:17:16
There is the possibility to hash passwords (preferably with a salt): 可以对密码进行哈希处理(最好加一个盐):
$salt = random_string($length = 5);
$hash = $salt . sha1($salt . $password);
Or store encrypted (only if your MySQL connection is SSL secured): 或存储加密的文件(仅当您的MySQL连接受SSL保护时):
INSERT INTO `user` (`user`,`pass`) VALUES("username",ENCRYPT("password","secretkey"))
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.