用PHP和MySQL增强哈希值 [英] Salting my hashes with PHP and MySQL
问题描述
像大多数用户一样,我只是在试图找出一种安全的密码存储方式.我在这里找不到的(或者可能是我缺乏了解)是如何在数据库中检索加盐的哈希并将盐与哈希密码分开,尤其是尤其是,每个密码都有唯一的盐,同时将salt + password保留在单个列中.
我发现了所有这些很酷的方式来加密密码(SHA-256,但是MySQL仅支持SHA/1和MD5吗?)和PHP手册中的其他内容,但是不确定如何存储和检索密码. /p>
到目前为止,这就是我所了解的:
SHA('$salt'.'$password') // My query sends the password and salt
// (Should the $salt be a hash itself?)
那之后我迷失了盐.
不加盐就检索密码很容易,但是盐使我感到困惑.我又从哪里获得$ salt的价值,特别是如果它是唯一且安全的呢?是否将它们隐藏在另一个数据库中?常量(似乎不安全)?
编辑:HMAC中的关键变量应该是盐还是其他东西?
首先,您的DBMS(MySQL)不需要任何对加密哈希的支持.您可以在PHP方面完成所有这些工作,这也是您应该做的.
如果要将盐和哈希存储在同一列中,则需要将它们连接起来.
// the plaintext password
$password = (string) $_GET['password'];
// you'll want better RNG in reality
// make sure number is 4 chars long
$salt = str_pad((string) rand(1, 1000), 4, '0', STR_PAD_LEFT);
// you may want to use more measures here too
// concatenate hash with salt
$user_password = sha512($password . $salt) . $salt;
现在,如果要验证密码,请执行以下操作:
// the plaintext password
$password = (string) $_GET['password'];
// the hash from the db
$user_password = $row['user_password'];
// extract the salt
// just cut off the last 4 chars
$salt = substr($user_password, -4);
$hash = substr($user_password, 0, -4);
// verify
if (sha512($password . $salt) == $hash) {
echo 'match';
}
您可能想看看 phpass ,它也使用了这种技术.这是一个PHP哈希解决方案,除了其他功能外,还使用了加盐功能.
您肯定应该看一下WolfOdrade所链接问题的答案.
Like most users, I'm simply trying to figure out a secure way to store passwords. What I haven't found here (or maybe it's my lack of understanding) is how to retrieve a salted hash in my database and separate the salt from the hashed password, especially with unique salts to each password while maintaining the salt+password in a single column.
I'm finding all these cool ways to encrypt passwords (SHA-256, but does MySQL only support SHA/1 and MD5?) and other things from the PHP manual, but not sure how store and retrieve the passwords.
So, far this is all I understand:
SHA('$salt'.'$password') // My query sends the password and salt
// (Should the $salt be a hash itself?)
After that I'm lost with salts.
Retrieving the password without a salt is easy, but the salt confuses me. Where do I get the value from $salt again, especially if it's unique and secure? Do I hide them in another database? Constant (seems unsafe)?
EDIT: Is the key variable in HMAC supposed to be salt or is this something else?
First of all, your DBMS (MySQL) does not need to have any support for cryptographic hashes. You can do all of that on the PHP side, and that's also what you should do.
If you want to store salt and hash in the same column you need to concatenate them.
// the plaintext password
$password = (string) $_GET['password'];
// you'll want better RNG in reality
// make sure number is 4 chars long
$salt = str_pad((string) rand(1, 1000), 4, '0', STR_PAD_LEFT);
// you may want to use more measures here too
// concatenate hash with salt
$user_password = sha512($password . $salt) . $salt;
Now, if you want to verify a password you do:
// the plaintext password
$password = (string) $_GET['password'];
// the hash from the db
$user_password = $row['user_password'];
// extract the salt
// just cut off the last 4 chars
$salt = substr($user_password, -4);
$hash = substr($user_password, 0, -4);
// verify
if (sha512($password . $salt) == $hash) {
echo 'match';
}
You might want to take a look at phpass, which also uses this technique. It is a PHP hashing solution which uses salting amongst some other things.
You should definitely take a look at the answer to the question WolfOdrade linked to.
这篇关于用PHP和MySQL增强哈希值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
