共享主机的密码安全性(PHP 5.2+)
[英]Password Security for Shared Hosts (PHP 5.2+)
问题描述
I'm working on some PHP meant to be deployed to users' servers - likely cheap/shared hosting (meaning lowest-common-denominator PHP 5.2, no modification of PHP installation ). 
我正在研究一些打算部署到用户服务器上的PHP-可能是便宜的/共享的主机(意味着最低分母PHP 5.2,未对PHP安装进行任何修改 )。 Common advice for password hashes seems to be bcrypt or scrypt, via installable extensions for PHP 5.2. 通过PHP 5.2的可安装扩展,关于密码散列的常见建议似乎是bcrypt或scrypt。
I've been thinking about using an iterated SHA-512 with a beefy per-user salt, but it doesn't sound like it really compares to bcrypt/scrypt. 我一直在考虑将迭代的SHA-512与每位用户使用的盐混合在一起,但是听起来好像与bcrypt / scrypt相比并不算真正。
Without the ability to modify the base PHP installation , what options do I have for strong password security? 没有修改基本PHP安装的能力,我有什么选择来增强密码安全性?
2 个解决方案
解决方案1
0 2012-10-09 06:55:16
The first thing I would say is that PHP 5.2 should not be considered. 我要说的第一件事是不应考虑PHP 5.2。 It was declared end-of life nearly two years ago, and hasn't had any security patches in that time, so any host still using it clearly doesn't take security seriously anyway. 它已宣布将在两年前停产,并且那时还没有任何安全补丁,因此任何仍在使用它的主机显然都不会认真对待安全性。 You should consider 5.3 as the minimum version these days. 这些天您应该将5.3作为最低版本。
No on to passwords... 没有密码...
The next version of PHP (v5.5) will have a set of functions built-in that provide standardised password hashing. 下一版本的PHP(v5.5)将内置一组提供标准化密码哈希的函数。 The idea is to once-and-for all get rid of any excuse for bad password practice in PHP. 这个想法是一劳永逸地摆脱任何不好的密码实践的借口。 Once this version is released, that will be the only recommended way to handle passwords. 此版本发布后,这将是推荐的唯一处理密码的方法。
In the meanwhile, you can download a compatibility library that implements the same functions for current PHP versions. 同时,您可以下载一个兼容性库,该库为当前的PHP版本实现相同的功能。 Download it from here: https://github.com/ircmaxell/password_compat 从这里下载: https : //github.com/ircmaxell/password_compat
My recommendation is to use this library, enclosed in a if(function_exists()) wrapper. 我的建议是使用包含在if(function_exists())包装器中的该库。 That way you'll be using best practice, and also be ready to use the built-in funcs when 5.5 is released. 这样,您将使用最佳实践,并准备在5.5发行时使用内置功能。
See also: http://www.h-online.com/open/news/item/PHP-5-5-should-reduce-password-sloppiness-1707835.html for reference. 另请参阅: http : //www.h-online.com/open/news/item/PHP-5-5-should-reduce-password-sloppiness-1707835.html以供参考。
Hope that helps. 希望能有所帮助。
解决方案2
0 已采纳 2012-11-16 20:37:42
As mentioned in the comments to the original question, a PHP < 5.2 implementation of PBKDF2 is available at http://crackstation.net/hashing-security.htm . 如对原始问题的评论中所述,可以从http://crackstation.net/hashing-security.htm获得PBKDF2的PHP <5.2实现。
PBKDF2 is arguably a better option than bcrypt/scrypt, having been much more thoroughly studied and tested. PBKDF2可以说是比bcrypt / scrypt更好的选择,并且已经进行了更彻底的研究和测试。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.