在PHP中使用preg_match验证密码 [英] validate password with preg_match in php

问题描述

我需要验证密码.我目前使用: preg_match("/^[a-z0-9_-]*$/i", $pass).

I need to validate passwords. I currently use: preg_match("/^[a-z0-9_-]*$/i", $pass).

我想增加长度.我的mysql表是这样设置的:userpassword varchar (40) NOT NULL,.因此介于6到40个字符之间.我想允许所有没有危险的字符放入我的数据库.

I would like to add length to this. My mysql table is set up like this : userpassword varchar (40) NOT NULL,. So between 6 and 40 characters. And I would like to allow all characters that are not dangerous to put in my db.

推荐答案

在密码上强加任意复杂性规则对用户非常不利，并且不会显着提高安全性.不要这样做.

Imposing arbitrary complexity rules on passwords is very user hostile and does not improve security substantially. Don't do it.

这就是为什么我认为上述说法正确的原因:

Here's why I think the above statement is true:

• 如果我想使用密码为"123456"的网站，这是我的问题.让我滚动一下.
• 您可以设置一个最小长度(例如6个字符)，但不能最大.如果我想引用整个
• 人们可能会使用不自动符合您的规则集的密码生成器.除了不包含足够/或太多的特殊字符"外，不要因为其他原因不接受密码而惹恼他们.
• 您必须使用体面的哈希算法加上随机的哈希盐，对于每个用户而言都是不同的.仅将哈希盐和哈希存储在数据库中，从不存储明文密码.
• 一旦经过哈希处理，即使是la脚的密码也可以防止盗窃/破解.实施针对暴力攻击的安全性(基于时间的锁定，基于IP的锁定，通过电子邮件握手进行密码锁定以检索锁定的帐户).

• If I want to use your website with "123456" as my password, it's my problem. Let me roll with it.
• You may impose a minimum length (e.g. 6 characters), but not a maximum. If I want to cite the entire John Maynard as my password, let me roll with it.
• Your idea of a "secure" password might not be everybody else's idea.
• People might use password generators that do not automatically comply with your rule set. Don't annoy them by not accepting their password for no other reason than not containing enough/or too many "special characters".
• You must hash your customer's passwords with a decent hashing algorithm plus a random hash salt, different for every user. Only store hash salts and hashes in the database, never store clear text passwords.
• Once hashed, even a lame password is reasonably secure against theft/cracking. Implement security against brute-force attacks (time-based lock-outs, IP-based lock-outs, password locking with e-mail handshake to retrieve a locked account).

所以您的密码验证过程是这样的

So your password validation process goes like this

• 新用户?使用用户名和随机盐创建用户记录(不要更改该用户的盐值)
• 回头用户?从数据库中获取盐，重新哈希他的密码，将结果与数据库中的哈希进行比较.
• 永远不要将用户密码物理上存储在任何地方，而使用HTTPS进行传输.
• 如果您不想执行上述操作，请考虑使用 OAuth 与您的网站.也许也不容易，但是您不必再担心密码的安全性 ，您的用户就不用再记住一个密码了.

• New user? Create user record with username and random salt (never change the salt value for that user)
• Returning user? Fetch salt from DB, re-hash his password, compare result to hash in DB.
• Never store the user's password anywhere physically and use HTTPS to transmit it.
• If you do not want to do something like the above, think about using OAuth with your site. May not be easy either, but you do not have to worry about password security anymore and your users have one less password to remember.

为了论证，此正则表达式将按照您的要求进行操作.如果您仍然渴望这样做.

For the sake of the argument, this regex will do what you ask. If you're still desperate to do it.

preg_match("/^[a-z0-9_-]{6,40}$/i", $pass)

这篇关于在PHP中使用preg_match验证密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！