stackoom
  简体   繁体   中英

What's the difference between phpass and hash_hmac?

 原文  2011-03-05 18:54:49       php/ security/ cookies

Question

I'm trying to store a password in a cookie. Stackoverflow seems to recommend hash_hmac but wordpress uses phpass?

What's the difference from a security perspective and which should be used?

1 answers

solution1
 4  2011-03-05 19:00:48

This is a really bad idea. You should use session_start() , which does everything for you and then you can use $_SESSION to store information about that user. If you store a password hash in the database and use it as a cookie then you totally undermine the purpose of hashing passwords. An attacker can use sql injection to obtain the hash and then just login without having to crack the hash.

Wordpress was vulnerable to this a few years ago. That code base has had some very serious security problems.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PHP: What is the difference between password_hash and hash_hmac? What is the C++ equivalent of PHP's hash_hmac function? What string encoding is used by PHP's hash_hmac? openssl_digest vs hash vs hash_hmac? Difference between SALT & HMAC? PHP hash_hmac() OS difference hash_hmac() functionality convert hash even ruby like php's hash_hmac () What is the .NET equivalent of the PHP function hash_hmac() what is secret_key parameter in hash_hmac function Javascript: Equivalent of PHP's hash_hmac() with RAW BINARY output?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM