如何安全地存储用户密码? [英] How can I store my users' passwords safely?

问题描述

这比普通的 MD5 安全得多吗?我刚刚开始研究密码安全性.我对PHP还是很陌生.

How much more safe is this than plain MD5? I've just started looking into password security. I'm pretty new to PHP.

$salt = 'csdnfgksdgojnmfnb';

$password = md5($salt.$_POST['password']);
$result = mysql_query("SELECT id FROM users
                       WHERE username = '".mysql_real_escape_string($_POST['username'])."'
                       AND password = '$password'");

if (mysql_num_rows($result) < 1) {
    /* Access denied */
    echo "The username or password you entered is incorrect.";
} 
else {
    $_SESSION['id'] = mysql_result($result, 0, 'id');
    #header("Location: ./");
    echo "Hello $_SESSION[id]!";
}

推荐答案

确保密码存储方案安全的最简单方法是使用标准库.

The easiest way to get your password storage scheme secure is by using a standard library.

由于安全性往往要比大多数程序员独自解决的复杂得多，并且具有更多看不见的破坏可能性，因此使用标准库几乎总是最简单，最安全(如果不是唯一的话)的可用选项.

Because security tends to be a lot more complicated and with more invisible screw up possibilities than most programmers could tackle alone, using a standard library is almost always easiest and most secure (if not the only) available option.

如果您使用的是PHP 5.5.0或更高版本，则可以使用新的简化密码哈希API

If you are using PHP version 5.5.0 or newer, you can use the new simplified password hashing API

使用PHP的密码API的代码示例:

Example of code using PHP's password API:

<?php
// $hash is what you would store in your database
$hash = password_hash($_POST['password'], PASSWORD_DEFAULT, ['cost' => 12]);

// $hash would be the $hash (above) stored in your database for this user
$checked = password_verify($_POST['password'], $hash);
if ($checked) {
    echo 'password correct';
} else {
    echo 'wrong credentials';
}

(如果您仍在使用旧版5.3.7或更高版本，则可以将 ircmaxell/password_compat 安装到可以访问内置功能)

(In case you are still using legacy 5.3.7 or newer you can install ircmaxell/password_compat to have access to the build-in functions)

如果您想要额外的安全性，安全人员现在(2017年)建议添加"

If you want extra security, the security folks now (2017) recommend adding a 'pepper' to the (automatically) salted password hashes.

有一个简单的类可以安全地实现此模式，我建议: Netsilik/PepperedPasswords ( github ).
它带有MIT许可证，因此即使在专有项目中，您也可以随意使用它.

There is a simple, drop in class that securely implements this pattern, I recommend: Netsilik/PepperedPasswords (github).
It comes with a MIT License, so you can use it however you want, even in proprietary projects.

使用Netsilik/PepperedPasswords的代码示例:

<?php
use Netsilik/Lib/PepperedPasswords;

// Some long, random, binary string, encoded as hexadecimal; stored in your configuration (NOT in your Database, as that would defeat the entire purpose of the pepper).
$config['pepper'] = hex2bin('012345679ABCDEF012345679ABCDEF012345679ABCDEF012345679ABCDEF');

$hasher = new PepperedPasswords($config['pepper']);

// $hash is what you would store in your database
$hash = $hasher->hash($_POST['password']);

// $hash would be the $hash (above) stored in your database for this user
$checked = $hasher->verify($_POST['password'], $hash);
if ($checked) {
    echo 'password correct';
} else {
    echo 'wrong credentials';
}

请注意:，您不再需要此功能！这仅是出于历史目的.

Please note: you should not be needing this anymore! This is only here for historical purposes.

看看:> 便携式PHP密码哈希框架 : phpass ，并确保尽可能使用CRYPT_BLOWFISH算法.

Take a look at: Portable PHP password hashing framework: phpass and make sure you use the CRYPT_BLOWFISH algorithm if at all possible.

使用phpass(v0.2)的代码示例:

Example of code using phpass (v0.2):

<?php
require('PasswordHash.php');

$pwdHasher = new PasswordHash(8, FALSE);

// $hash is what you would store in your database
$hash = $pwdHasher->HashPassword( $password );

// $hash would be the $hash (above) stored in your database for this user
$checked = $pwdHasher->CheckPassword($password, $hash);
if ($checked) {
    echo 'password correct';
} else {
    echo 'wrong credentials';
}

PHPass已在一些众所周知的项目中实现:

PHPass has been implemented in some quite well known projects:

• phpBB3
• WordPress 2.5+和bbPress
• Drupal 7版本(模块适用于Drupal 5和6)
• 其他

• phpBB3
• WordPress 2.5+ as well as bbPress
• the Drupal 7 release, (module available for Drupal 5 & 6)
• others

好处是，您不必担心细节，这些细节是由经验丰富的人编写的，并已由Internet上的许多人进行了审查.

The good thing is that you do not need to worry about the details, those details have been programmed by people with experience and reviewed by many folks on the internet.

有关密码存储方案的更多信息，请阅读 Jeff 的博客文章:

For more information on password storage schemes, read Jeff`s blog post: You're Probably Storing Passwords Incorrectly

无论您采取哪种方法，只要您采取"我会自己做，谢谢"的方法，就不再使用MD5或SHA1 .它们是很好的哈希算法，但出于安全考虑被认为已损坏.

Whatever you do if you go for the 'I'll do it myself, thank you' approach, do not use MD5 or SHA1 anymore. They are nice hashing algorithm, but considered broken for security purposes.

当前，最好将CRYPT_BLOWFISH与 crypt 一起使用.
PHP中的CRYPT_BLOWFISH是Bcrypt哈希的实现. Bcrypt基于Blowfish块密码，利用其昂贵的密钥设置来减慢算法速度.

Currently, using crypt, with CRYPT_BLOWFISH is the best practice.
CRYPT_BLOWFISH in PHP is an implementation of the Bcrypt hash. Bcrypt is based on the Blowfish block cipher, making use of it's expensive key setup to slow the algorithm down.

这篇关于如何安全地存储用户密码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！