SHA1 vs md5 vs SHA256:哪个用于PHP登录? [英] SHA1 vs md5 vs SHA256: which to use for a PHP login?

问题描述

我正在进行php登录，并且试图确定是使用SHA1还是Md5，还是我在另一stackoverflow文章中了解到的SHA256.他们中的任何一个比其他人更安全吗?对于SHA1/256，我还使用盐吗?

I'm making a php login, and I'm trying to decide whether to use SHA1 or Md5, or SHA256 which I read about in another stackoverflow article. Are any of them more secure than others? For SHA1/256, do I still use a salt?

而且，这是将密码作为哈希存储在mysql中的安全方法吗?

Also, is this a secure way to store the password as a hash in mysql?

function createSalt()
{
    $string = md5(uniqid(rand(), true));
    return substr($string, 0, 3);
}

$salt = createSalt();

$hash = sha1($salt . $hash);

推荐答案

都没有.您应该使用bcrypt.您提到的哈希都经过优化，可以在硬件上快速便捷地使用，因此破解它们具有相同的质量.如果您别无选择，请至少确保使用长盐并多次重新哈希.

Neither. You should use bcrypt. The hashes you mention are all optimized to be quick and easy on hardware, and so cracking them share the same qualities. If you have no other choice, at least be sure to use a long salt and re-hash multiple times.

PHP 5.5提供了用于密码哈希的新功能.这是在现代Web应用程序中存储密码的推荐方法.

PHP 5.5 offers new functions for password hashing. This is the recommend approach for password storage in modern web applications.

// Creating a hash
$hash = password_hash($password, PASSWORD_DEFAULT, ['cost' => 12]);
// If you omit the ['cost' => 12] part, it will default to 10

// Verifying the password against the stored hash  
if (password_verify($password, $hash)) {
    // Success! Log the user in here.
}

如果您使用的是旧版本的PHP 您确实应该升级，但是直到您这样做您可以使用 password_compat 公开此API.

If you're using an older version of PHP you really should upgrade, but until you do you can use password_compat to expose this API.

另外，请让 password_hash() 生成盐给你.它使用 CSPRNG .

1. Bcrypt会自动截断长度超过72个字符的所有密码.
2. Bcrypt将在任何NUL个字符之后截断.

1. Bcrypt will silently truncate any password longer than 72 characters.
2. Bcrypt will truncate after any NUL characters.

(对于这两个警告，概念验证.)

(Proof of Concept for both caveats here.)

您可能会想通过在通过bcrypt运行密码之前对其进行预哈希处理，但是这样做会使您的应用程序先运行然后再运行.

You might be tempted to resolve the first caveat by pre-hashing your passwords before running them through bcrypt, but doing so can cause your application to run headfirst into the second.

请使用安全专家编写和/或评估的现有库，而不是编写自己的方案.

Instead of writing your own scheme, use an existing library written and/or evaluated by security experts.

• Zend\Crypt (Zend Framework的一部分)提供了 PasswordLock 与BcryptSha类似，但它还使用<一个href ="https://github.com/defuse/php-encryption" rel ="nofollow noreferrer">经过身份验证的加密库.

• Zend\Crypt (part of Zend Framework) offers BcryptSha
• PasswordLock is similar to BcryptSha but it also encrypts the bcrypt hashes with an authenticated encryption library.

TL; DR -使用bcrypt .

这篇关于SHA1 vs md5 vs SHA256:哪个用于PHP登录?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！