不推荐使用mcrypt，替代方法是什么? [英] mcrypt is deprecated, what is the alternative?

问题描述

mcrypt扩展名是已弃用将根据此处中发布的注释在PHP 7.2中删除.因此，我正在寻找一种加密密码的替代方法.

The mcrypt-extension is deprecated will be removed in PHP 7.2 according to the comment posted here. So I am looking for an alternative way to encrypt passwords.

现在我正在使用类似的东西

Right now I am using something like

mcrypt_encrypt(MCRYPT_RIJNDAEL_128, md5($key, true), $string, MCRYPT_MODE_CBC, $iv)

我需要您的意见以最好/最有效的方式来加密密码，当然，加密的密码应该受PHP 7.xx支持，并且也应该可以解密，因为我的客户确实希望有一个选择来恢复"他们的密码而无需产生一个新的.

I need your opinion for the best/strongest way to encrypt passwords, the encrypted password should of course supported by PHP 7.xx and should also be decryptable because my customers do want to have an option to 'recover' their passwords without generating a new one.

推荐答案

最佳做法是对密码进行哈希处理，以使密码不可解密.对于可能已经获得对您的数据库或文件的访问权限的攻击者来说，这会使事情变得更加困难.

It's best practice to hash passwords so they are not decryptable. This makes things slightly more difficult for attackers that may have gained access to your database or files.

如果必须加密数据并使其可解密，请访问 https://paragonie.com/white-paper/2015-secure-php-data-encryption .总结该链接:

If you must encrypt your data and have it decryptable, a guide to secure encryption/decryption is available at https://paragonie.com/white-paper/2015-secure-php-data-encryption. To summarize that link:

• 使用 Libsodium -PHP扩展
• 如果您不能使用Libsodium，请使用 defuse/php-encryption -直接的PHP代码
• 如果您不能使用Libsodium或defuse/php-encryption，请使用 OpenSSL -许多服务器已经安装了该服务器.如果没有，则可以使用--with-openssl [= DIR]
进行编译.

• Use Libsodium - A PHP extension
• If you can't use Libsodium, use defuse/php-encryption - Straight PHP code
• If you can't use Libsodium or defuse/php-encryption, use OpenSSL - A lot of servers will already have this installed. If not, it can be compiled with --with-openssl[=DIR]

这篇关于不推荐使用mcrypt，替代方法是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！