使用 Code Igniter 存储密码的最安全方法是什么? [英] What is the safest way to store a password using Code Igniter?
问题描述
我在当前项目中使用 Code Igniter.
I am using Code Igniter for my current project.
截至目前,我使用 MD5 进行密码散列,但我在很多地方都读到过,这样做不是一个好习惯.
As of now, I am using MD5 for password hashing, but I have read at a lot of places, that it is not a good practice to do so.
我应该带什么?
- 使用盐
- 或者我应该使用 bcrypt
另外,如果推荐bcrypt,那么如何将它与Code Igniter一起使用?
Also, if bcrypt is recommended, then how to use it with Code Igniter?
我已将这些文件放在 application/libraries
- PasswordHash.php
- c/Makefile
- c/crypt_private.c
在我的控制器中,我正在使用此代码 -
In my controller, I am using this code -
$params = array(
'phpass_hash_strength' => 8,
'phpass_hash_portable' => FALSE
);
$this->load->library('PasswordHash', $params);
$password = $this->passwordhash->HashPassword($pwd);
我收到这些错误 -
A PHP Error was encountered
Severity: Notice
Message: Uninitialized string offset: 3
Filename: libraries/PasswordHash.php
Line Number: 116
<小时>
A PHP Error was encountered
Severity: Warning
Message: strpos() [function.strpos]: Empty delimiter
Filename: libraries/PasswordHash.php
Line Number: 116
<小时>
更新
删除了 PasswordHash.php,现在使用 SimpleLoginSecure.
推荐答案
使用 bcrypt.这个讨论出现在这里对我的评论中回答.您可以使用诸如 phppass 之类的库来真正简化密码加密.
Use bcrypt. This discussion came up here in the comments to my answer. You can use a library such as phppass to really simplify the password encryption.
关于盐的问题.用它!否则有人可以简单地去这个网站 并下载涵盖绝大多数的彩虹表普通用户选择的密码.尤其是在过去几个月发生的所有安全漏洞的情况下,现在不是说你不会使用像随机盐这样简单的东西来实现的时候.
On the matter of salt. Use it! Otherwise somebody can simply go to this site and download the rainbow tables that will cover the large majority of passwords the average users chooses. Especially with all the security leaks in the last few months, now is not the time to be saying you won't use something as simple to implement as random salt.
更新
要在 CI 中使用 PHPPass,请从上面链接的 phppass 网站下载并提取文件.将 PasswordHash.php 文件放入 CI 应用程序/库目录.
To use PHPPass with CI, download and extract the files from the phppass website, linked above. Put the PasswordHash.php file into your CI application/libraries directory.
在您的代码中,您然后通过以下方式加载库:$this->load->library('PasswordHash',array(8, FALSE));
In your code, you then load the library via: $this->load->library('PasswordHash',array(8, FALSE));
散列密码就像 $this->PasswordHash->HashPassword($password);
以后检查密码是否正确,就这么简单:
To later check if a password is correct, it is as simple as:
$password = $_POST['password'];
$actualPassword = /*Get the hashed password from your db*/;
$check = $this->PasswordHash->CheckPassword($password, $actualPassword);
我从 http://dev.myunv 获取了这个演示.com/articles/secure-passwords-with-phpass/ 为您提供更多信息.我稍微修改了该教程以利用 CI 的加载程序,这就是为什么您不需要 include 或 new 语句的原因.
I've taken this demo from http://dev.myunv.com/articles/secure-passwords-with-phpass/ which gives you a lot more informations. I've modified that tutorial slightly to utilize CI's loader which is why you don't need the include or new statements.
这篇关于使用 Code Igniter 存储密码的最安全方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
