什么是散列密码的最佳方式？ [英] What way is the best way to hash a password?

问题描述

我正在开发一个对用户来说应该很安全的网站，所以我需要散列密码。通常我使用的是MD5，但我读到它不再安全。所以我尝试了PHPass，但后来我发现它也被破解了。所以我尝试了PHP 5.5的 password_hash（），但是我使用HostGator，PHP的版本是5.4。我还希望能够在不知道它的情况下添加salt（如 time（）* userid（）），就像 password_hash（） code>。



散列强度对我来说非常重要，因为我希望100％确定我的用户是安全的。那么是否有一种非常安全的方式，而不是像SHA那样很快就会被黑客入侵的方法？

使用这个库，它提供了与 password_ * 函数的前向兼容性。

示例用法：

  require_once（password.php）; //导入库，假设它与当前脚本位于同一目录中
 
 $ password =HelloStackOverflow; //示例密码
 
 $ hash = password_hash（$ password，PASSWORD_BCRYPT）; //这里是以前密码的散列值
 
 $ hash = password_hash（$ password，PASSWORD_BCRYPT，array（cost=> 10））; //你可以设置哈希算法的复杂性，它使用更多的CPU能力，但即使默认已经足够好，它也会更难破解。
 
 if（password_verify（$ password ，$ hash））{//检查密码是否有效
 / *有效* / 
} else {
 / *无效* / 
} 
  




I'm working on a website that should be very safe for the users, so I need the hash the passwords. Usually I'm using the MD5, but I read that it doesn't safe anymore. So I tried PHPass, but then I read that it also has been cracked. So I tried password_hash() of PHP 5.5, but I use HostGator, and the PHP there is 5.4. Also I want to be able to add salt without knowing it (like time() * userid()), like in the password_hash().

The hash strength is very important to me because I want to be 100% sure that my users are safe. So is there a way that very safe and not something like SHA that will be hacked soon?

解决方案

Use this library which provides forward compatibility with the password_* functions.

Example usage :

require_once("password.php"); // imports the library, assuming it's in the same directory as the current script

$password = "HelloStackOverflow"; // example password

$hash = password_hash($password, PASSWORD_BCRYPT); // here's the hash of the previous password

$hash = password_hash($password, PASSWORD_BCRYPT, array("cost" => 10)); // you can set the "complexity" of the hashing algorithm, it uses more CPU power but it'll be harder to crack, even though the default is already good enough

if (password_verify($password, $hash)) { // checking if a password is valid
    /* Valid */
} else {
    /* Invalid */
}

这篇关于什么是散列密码的最佳方式？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！