使用PHP实现双向加密的最佳方法是什么？ [英] What is the best way to implement 2-way encryption with PHP?

问题描述

我想使用PHP中的双向加密来加密我的站点上的密码。我遇到了mcrypt库，但这似乎很麻烦。任何人都知道任何其他方法更容易，但还是安全的？我确实可以访问Zend框架，所以使用它的解决方案也可以这样做。

I would like to encrypt the passwords on my site using a 2-way encryption within PHP. I have come across the mcrypt library, but it seems so cumbersome. Anyone know of any other methods that are easier, but yet secure? I do have access to the Zend Framework, so a solution using it would do as well.

我实际上需要双向加密，因为我的客户端想进入数据库并更改密码或检索它。

I actually need the 2-way encryption because my client wants to go into the db and change the password or retrieve it.

推荐答案

您应该存储密码散列（和 正确盐渍 ）。

You should store passwords hashed (and properly salted).

世界上没有足够的借口打破这个规则。

目前，使用 crypt ，CRYPT_BLOWFISH是最佳做法。

PHP中的CRYPT_BLOWFISH是Bcrypt哈希的一个实现。 Bcrypt基于Blowfish块密码。

Currently, using crypt, with CRYPT_BLOWFISH is the best practice.
CRYPT_BLOWFISH in PHP is an implementation of the Bcrypt hash. Bcrypt is based on the Blowfish block cipher.

• 如果您的客户端尝试登录，您将输入的密码哈希并将其与哈希存储在数据库中。如果他们匹配，访问被授予。

• If your client tries to login, you hash the entered password and compare it to the hash stored in the DB. if they match, access is granted.

如果您的客户想要更改密码，他们将需要通过一些小脚本来完成，新密码并将其存储到数据库中。

If your client wants to change the password, they will need to do it trough some little script, that properly hashes the new password and stores it into the DB.

如果您的客户想要恢复密码，则应生成一个新的随机密码并发送给您的客户端。新密码的哈希存储在DB中

If your client wants to recover a password, a new random password should be generated and send to your client. The hash of the new password is stored in the DB

如果您的客户想要查找当前的密码，那么他们没有运气EM>。这正是哈希密码的重点：系统不知道密码，所以它永远不能被查找/被盗。

If your clients want to look up the current password, they are out of luck. And that is exactly the point of hashing password: the system does not know the password, so it can never be 'looked up'/stolen.

杰夫博客：您可能不正确地存储密码

如果要使用标准库，您可以查看：便携式PHP密码散列框架，并确保您使用CRYPT_BLOWFISH算法。

If you want to use a standard library, you could take a look at: Portable PHP password hashing framework and make sure you use the CRYPT_BLOWFISH algorithm.

（一般来说，直接在数据库中记录的数据就是要求麻烦。

很多人 - 包括非常有经验的DB管理员 - 发现了这个难题。）

(Generally speaking, messing around with the records in your database directly is asking for trouble.
Many people -including very experienced DB administrators- have found that out the hard way.)

这篇关于使用PHP实现双向加密的最佳方法是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！