在MYSQL数据库中存储密码的最佳方法 [英] Best way to store passwords in MYSQL database

问题描述

是的，我知道不建议以纯文本格式存储密码.是否有最佳简便的方法来存储密码，以使应用程序保持安全性??

Yes I know storing passwords in plain text is not advised.Is there a best and easy way to store passwords so that the application remains secure ??

推荐答案

首先，已证明md5和sha1容易受到碰撞攻击，并且可以轻松地进行彩虹存储(当它们看到您的哈希值是否相同时)常用密码数据库).

First off, md5 and sha1 have been proven to be vulnerable to collision attacks and can be rainbow tabled easily (when they see if you hash is the same in their database of common passwords).

对于您可以使用的密码，目前有两件事足够安全.

There are currently two things that are secure enough for passwords that you can use.

第一个是sha512. sha512是SHA2的子版本.尚未证明SHA2容易受到碰撞攻击，sha512将生成512位哈希.这是一个例子 如何使用sha512:

The first is sha512. sha512 is a sub-version of SHA2. SHA2 has not yet been proven to be vulnerable to collision attacks and sha512 will generate a 512-bit hash. Here is an example of how to use sha512:

<?php
hash('sha512',$password);

另一个选项称为bcrypt. bcrypt以其安全的哈希值而闻名.它可能是目前最安全，最可定制的一种.

The other option is called bcrypt. bcrypt is famous for its secure hashes. It's probably the most secure one out there and most customizable one too.

在开始使用bcrypt之前，需要检查服务器是否已启用它，然后按Enter. 此代码:

Before you want to start using bcrypt you need to check if your sever has it enabled, Enter this code:

<?php
if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
    echo "CRYPT_BLOWFISH is enabled!";
}else {
echo "CRYPT_BLOWFISH is not available";
}

如果返回它已启用，则下一步很容易，对密码进行加密所需要做的就是(注意:要获得更多的可定制性，您需要查看此

If it returns that it is enabled then the next step is easy, All you need to do to bcrypt a password is (note: for more customizability you need to see this How do you use bcrypt for hashing passwords in PHP?):

crypt($password, $salt);

盐通常是随机字符串，您在对它们进行哈希处理时会在所有密码的末尾添加.使用盐表示如果有人获取了您的数据库，则他们将无法检查常规密码的哈希值.使用彩虹表调用检查数据库.散列时应始终使用盐！

A salt is usually a random string that you add at the end of all your passwords when you hash them. Using a salt means if someone gets your database, they can not check the hashes for common passwords. Checking the database is called using a rainbow table. You should always use a salt when hashing!

以下是我针对SHA1和MD5碰撞攻击漏洞的证明:
http://www.schneier.com/blog/archives/2012/10 /when_will_we_se.html ， http://eprint.iacr.org/2010/413. pdf ，
http://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf ，
http: //conf.isi.qut.edu.au/auscert/proceedings/2006/gauravaram06collision.pdf 和

Here are my proofs for the SHA1 and MD5 collision attack vulnerabilities:
http://www.schneier.com/blog/archives/2012/10/when_will_we_se.html, http://eprint.iacr.org/2010/413.pdf,
http://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf,
http://conf.isi.qut.edu.au/auscert/proceedings/2006/gauravaram06collision.pdf and
Understanding sha-1 collision weakness

这篇关于在MYSQL数据库中存储密码的最佳方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！