Secure password storage
Question
I'm developing a web service where users must login. I will store user data in an SQL database and input/output via PHP . But I don't want to store it openly. How do I encrypt the passwords in PHP so only those who knows the password can unlock it?
I know services like phpBB uses some sort of hiding/encryption on stored passwords.
7 answers
solution1
5 2010-12-02 12:14:02
You need to salt and hash the password, using an appropriately secure algorithm.
- PHP's mhash has appropriate hashing functions
- A full example here on SO
solution2
3 ACCPTED 2010-12-02 13:11:00
The easiest way to get your password storage scheme secure is by using a standard library .
Because security tends to be a lot more complicated and with more invisible screw up possibilities than most programmers could tackle alone, using a standard library is almost always easiest and most secure (if not the only) available option.
See this answer for more info
solution3
0 2010-12-02 12:12:41
You probably want to hash the password - not encrypt it. Check out SHA-1 . Hashing means that you cannot retrieve the original data as you can with encryption. Instead what you do is hash the users input and compare it to the hash in the database to see if they've got the right password. Doing this increases security as if your database was ever compromised - a bunch of hashes are useless.
solution4
0 2010-12-02 12:14:47
保存MD5哈希,并使其更安全,添加盐。
solution5
0 2010-12-02 12:20:27
Well, you shouldn't encrypt them with MD5 (which is not really secured, most hackers have conversion tables).
Hence, you can hash it with SHA1 (which is usually used).
If you want more security, you can add more salt which is a key you can add like this (just an example, usually used) :
salt+sha1(salt+pass)
This combination can be used with many language.
solution6
0 2010-12-02 12:22:00
Hash passwords in SHA-1 (sha1 php inbuilt function) with several recursions of salting (same code in the answers above, only loop through several times). This should be sufficient protection, so even if the intruders somehow get their hands on the hashes, they shouldn't be able to crack them...
solution7
-1 2010-12-02 12:17:16
There is the possibility to hash passwords (preferably with a salt):
$salt = random_string($length = 5);
$hash = $salt . sha1($salt . $password);
Or store encrypted (only if your MySQL connection is SSL secured):
INSERT INTO `user` (`user`,`pass`) VALUES("username",ENCRYPT("password","secretkey"))
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.