最佳做法:在表中存储密码的最安全方法? [英] Best practices: safest method to store passwords in a table?

问题描述

我正在使用PHP.我曾经使用本机mysql函数password()来存储密码.有人告诉我password()不再安全了.在PHP中存储密码的最佳方法是什么?是MD5吗?

解决方案

更新的答案2016:

PHC (密码哈希竞赛)的获胜者是参考实现在GitHub上可用.

2012年更新的答案:

我在下面给出的原始答案曾经被认为是最佳实践.但是，哈希计算技术的进步使这些方案易受攻击.展望未来，唯一的安全密码哈希方案是迭代哈希，例如 bcrypt 和 PBKDF2 .有关完整的讨论，请参见杰夫·阿特伍德的分析.

原始答案2009:

我建议您先在密码前添加盐值，然后哈希具有类似彩虹表进行攻击) ).

请记住，如果以这种方式存储密码，您将不能检索用户的丢失密码.他们将只能重设密码.这是因为您将使用单向哈希.但是，通常需要为更安全的密码存储系统进行权衡这一限制.即使您的数据库遭到破坏，您的用户密码仍将非常困难，并且攻击者可能无法恢复密码.

I am using PHP. I used to use native mysql function password() to store passwords. I was told that password() is not safe anymore. What would be the best method to store passwords in PHP? is it MD5?

解决方案

Updated Answer 2016:

The winner of the PHC (Password Hashing Competion) was Argon2. Hashing passwords with Argon2 is the best practice as of 2016.

PHC ran from 2013 to 2015 as an open competition—the same kind of process as NIST's AES and SHA-3 competitions, and the most effective way to develop a crypto standard. We received 24 candidates, including many excellent designs, and selected one winner, Argon2, an algorithm designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich from University of Luxembourg.

We recommend that use you use Argon2 rather than legacy algorithms.

The reference implementation is available on GitHub.

Updated Answer 2012:

The original answer I gave below was once considered to be a best practice. However, advances in hash-computing technology have rendered these schemes vulnerable. Going forward, the only secure password hashing schemes are iterative hashes such as bcrypt and PBKDF2. For a full discussion, see Jeff Atwood's analysis.

Original Answer 2009:

I recommend first prepending a salt value to your password, followed by hashing the resultant string with a reasonably strong hashing function like SHA256. This secures against the obvious (plain text passwords) and the not so obvious (attack using Rainbow tables).

Keep in mind that if you store passwords in this way, you will not be able to retrieve a user's lost password. They'll only be able to reset passwords. This is because you'll be using a one way hash. But this limitation is generally worth the tradeoff for a more secure password storage system. Even if your database is compromised, your user's passwords will still be exceedingly difficult and probably unpractical to recover by a would be attacker.

这篇关于最佳做法:在表中存储密码的最安全方法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！