md5()的作用是什么? [英] What is md5() for?

问题描述

我正在阅读本教程中的简单的PHP登录系统. /p>

最后，建议您使用md5()加密密码.

尽管我知道这是一个初学者的教程，并且您不应该在此登录系统后添加银行对帐单，但这使我开始考虑加密.

所以我继续前进(这个站点对新手来说最有用的问题之一):

这就是我的想法，尽管我知道md5()可能不是最强的加密方法，但是始终产生相同结果的任何东西都可以进行逆向工程.

那么用md5()或任何其他方法加密某些东西的意义是什么?

如果黑客获得了使用md5()加密的密码，则他只会使用此页面！

现在是实际问题:

1. 密码加密如何工作?

我知道我还没有在这里发现巨大的Web漏洞！ :)我只想了解密码加密背后的逻辑.

我确定我了解错了，如果您能帮助我将我和其他人(我希望)弄清楚，我将不胜感激.

您将如何应用密码加密以使其真正有用?

2. 这个主意如何?

就像我说的那样，我可能会/或者会误会整个想法，但是，这种方法会在真实环境中增加安全性吗?

$reenc = array(
 "h38an",
 "n28nu",
 "fw08d"
 );

$pass = "Trufa";

$enc = chunk_split(md5($pass),5,$reenc[mt_rand(0,count($reenc)-1)]);

echo $enc;

如您所见，我在md5()密码中随机添加了任意字符串($reenc = array())，以使其具有唯一性".当然，这只是一个愚蠢的例子.

我可能是错的，但是除非您自己进行加密"，否则它总是很容易被逆转的.

上面是我的密码保护"和加密密码的想法，如果黑客入侵了他，除非他能够访问原始的.php，否则他将无法解密它.

我知道这可能甚至没有道理，但是我不知道为什么这是一个坏主意！

---

我希望我已经足够清楚了，但这是一个很长的问题，因此，请要求任何澄清！

提前谢谢！

解决方案

您应该具有encryption，例如md5或sha512.您还应该使用两种不同的盐，分别是static salt(由您自己编写)和用于特定密码的unique salt.

一些示例代码(例如registration.php):

$unique_salt = hash('md5', microtime()); 
$password = hash('md5', $_POST['password'].'raNdoMStAticSaltHere'.$unique_salt);

现在您有一个static salt，它对所有密码均有效，并存储在.php文件中.然后，在执行注册时，为该特定密码生成一个unique hash.

所有结果以以下形式结尾:两个拼写完全相同的密码将具有两个不同的hashes. unique hash与当前ID一起存储在database中.如果有人抓住database，则每个特定的密码都将包含每个unique salt.但是他们没有的是您的static salt，这对于那里的每个黑客"来说都很难.

例如，这是您如何在login.php上检查密码的有效性:

$user = //random username;
$querysalt = mysql_query("SELECT salt FROM password WHERE username='$user'");
while($salt = mysql_fetch_array($querysalt)) {
    $password = hash('md5',
          $_POST['userpassword'].'raNdoMStAticSaltHere'.$salt[salt]);
}

这是我过去使用的.它非常强大且安全.我自己更喜欢sha512加密.实际上只是将其放在哈希函数中，而不是在我的示例中为md5.

如果您想更加安全，可以将unique salt存储在完全不同的数据库中.

I was reading this tutorial for a simple PHP login system.

In the end it recommends that you should encrypt your password using md5().

Though I know this is a beginners' tutorial, and you shouldn't put bank statements behind this login system, this got me thinking about encryption.

So I went ahead and went to (one of the most useful questions this site has for newbies): What should a developer know before building a public web site?

There it says (under security) you should:

Encrypt Hash and salt passwords rather than storing them plain-text.

It doesn't say much more about it, no references.

So I went ahead and tried it myself:

$pass = "Trufa";
$enc = md5($pass);

echo $enc; #will echo 06cb51ce0a9893ec1d2dce07ba5ba710

And this is what got me thinking, that although I know md5() might not the strongest way to encrypt, anything that always produces the same result can be reverse engineered.

So what is the sense of encrypting something with md5() or any other method?

If a hacker gets to a password encrypted with md5(), he would just use this page!.

So now the actual questions:

1. How does password encryption work?

I know I have not discovered a huge web vulnerability here! :) I just want to understand the logic behind password encryption.

I'm sure I'm understanding something wrong, and would appreciate if you could help me set my though and other's (I hope) straight.

How would you have to apply password encryption so that it is actually useful?

2. What about this idea?

As I said, I may/am getting the whole idea wrong, but, would this method add any security in security to a real environment?

$reenc = array(
 "h38an",
 "n28nu",
 "fw08d"
 );

$pass = "Trufa";

$enc = chunk_split(md5($pass),5,$reenc[mt_rand(0,count($reenc)-1)]);

echo $enc;

As you see, I randomly added arbitrary strings ($reenc = array()) to my md5() password "making it unique". This of course is just a silly example.

I may be wrong but unless you "seed the encryption yourself" it will always be easily reversible.

The above would be my idea of "password protecting" and encrypted password, If a hacker gets to it he wont be able to decrypt it unless he gets access to the raw .php

I know this might not even make sense, but I can't figure out why this is a bad idea!

---

I hope I've made myself clear enough, but this is a very long question so, please ask for any clarification needed!

Thanks in advance!!

解决方案

You should have an encryption like md5 or sha512. You should also have two different salts, a static salt (written by you) and then also a unique salt for that specific password.

Some sample code (e.g. registration.php):

$unique_salt = hash('md5', microtime()); 
$password = hash('md5', $_POST['password'].'raNdoMStAticSaltHere'.$unique_salt);

Now you have a static salt, which is valid for all your passwords, that is stored in the .php file. Then, at registration execution, you generate a unique hash for that specific password.

This all ends up with: two passwords that are spelled exactly the same, will have two different hashes. The unique hash is stored in the database along with the current id. If someone grab the database, they will have every single unique salt for every specific password. But what they don't have is your static salt, which make things a lot harder for every "hacker" out there.

This is how you check the validity of your password on login.php for example:

$user = //random username;
$querysalt = mysql_query("SELECT salt FROM password WHERE username='$user'");
while($salt = mysql_fetch_array($querysalt)) {
    $password = hash('md5',
          $_POST['userpassword'].'raNdoMStAticSaltHere'.$salt[salt]);
}

This is what I've used in the past. It's very powerful and secure. Myself prefer the sha512 encryption. It's actually just to put that inside the hash function instead of md5 in my example.

If you wanna be even more secure, you can store the unique salt in a completely different database.

这篇关于md5()的作用是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！