良好的安全习惯和密码? [英] Good security practice and passwords?

问题描述

一个一般性问题.
在我的网站上，我具有登录功能.用户详细信息存储在MYSQL数据库中，并与PHP交互.密码存储为固定的md5哈希和. (所有规范都在其中)

通常，我会使用会话来跟踪登录，但是由于某些原因，我的托管公司不喜欢它们.但是我有个快速解决方法.

登录时，它会创建一个包含用户名和密码的Cookie，并以一个小时的过期时间登录.每次页面加载时，都会针对数据库检查这些详细信息.除拦截数据包等外，我看不到其他楼层.这是否是解决我的问题的可行方法，或者在安全性方面有点风险吗?

代码段似乎无关紧要，但是我可以提供.感谢您提供有关此问题的任何提示.

A bit of a general question.
In my website I have a login feature. User details are stored in a MYSQL database and interacted with PHP. Passwords are stored as a salted md5 hash sum. (All the norm there)

Normally I would use sessions to track logins however my hosting company didn''t like them for some reason. But I had a quick fix.

When you login it creates a cookie of the username and password you logged in with + an expirey time of an hour. Every time a page loads it checks these details against the database. I can''t see any floors other than intercepting packets etc. Is this a viable solution to my problem, or is it a bit risky regarding security?

Code snippets seem irrelevant, but I can provide. Thank You for any tips with this matter.

推荐答案

否.绝对不安全的是MD5.发现它已损坏.请参见 http://en.wikipedia.org/wiki/MD5 [ http://en.wikipedia.org/wiki/Cryptographic_hash_function [ ^ ]).请参阅: http://en.wikipedia.org/wiki/SHA2 [

—SA

No. What is absolutely unsafe is MD5. It was found to be broken. See http://en.wikipedia.org/wiki/MD5[^].

Switch to the cryptographic hash function (http://en.wikipedia.org/wiki/Cryptographic_hash_function[^]) from the SHA family. See: http://en.wikipedia.org/wiki/SHA2[^].

Don''t rely on "safe place", this is not enough. Change the cryptographic hash function.

—SA

这篇关于良好的安全习惯和密码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！