使用代码Igniter存储密码的最安全的方法是什么？ [英] What is the safest way to store a password using Code Igniter?

问题描述

我目前使用Code Igniter。

I am using Code Igniter for my current project.

现在，我使用 MD5 进行密码散列，

As of now, I am using MD5 for password hashing, but I have read at a lot of places, that it is not a good practice to do so.

我应该怎么办？

1. 使用盐


2. 或者我应该使用 bcrypt

1. Using a salt
2. Or should I use bcrypt

此外，如果建议使用 bcrypt ，那么如何使用代码Igniter？

Also, if bcrypt is recommended, then how to use it with Code Igniter?

我把这些文件放在 application / libraries

1. PasswordHash.php


2. c / Makefile


3. c / crypt_private.c
4. 
   

1. PasswordHash.php
2. c/Makefile
3. c/crypt_private.c

在我的控制器中，我使用这个代码 -

In my controller, I am using this code -

$params = array(
       'phpass_hash_strength' => 8,
           'phpass_hash_portable' => FALSE
       );
$this->load->library('PasswordHash', $params);
$password = $this->passwordhash->HashPassword($pwd);

我得到这些错误 -

I am getting these errors -

A PHP Error was encountered

Severity: Notice

Message: Uninitialized string offset: 3

Filename: libraries/PasswordHash.php

Line Number: 116

---

---

A PHP Error was encountered

Severity: Warning

Message: strpos() [function.strpos]: Empty delimiter

Filename: libraries/PasswordHash.php

Line Number: 116

---

更新

已删除 PasswordHash.php ，现在使用 SimpleLoginSecure 。

推荐答案

使用bcrypt。此讨论提出了这里在我的评论回答。您可以使用 phppass 这样的库来真正简化密码加密。

Use bcrypt. This discussion came up here in the comments to my answer. You can use a library such as phppass to really simplify the password encryption.

关于盐的问题。用它！否则，某人可以直接访问此网站，并下载彩虹表，该表将覆盖绝大多数用户选择的密码。特别是在过去几个月的所有安全漏洞，现在不是时候说你不会使用一些简单的实现作为随机盐。

On the matter of salt. Use it! Otherwise somebody can simply go to this site and download the rainbow tables that will cover the large majority of passwords the average users chooses. Especially with all the security leaks in the last few months, now is not the time to be saying you won't use something as simple to implement as random salt.

UPDATE

要使用PHPPass与CI，请从上面链接的phppass网站下载并解压缩文件。将PasswordHash.php文件放入您的CI应用程序/ libraries目录。

To use PHPPass with CI, download and extract the files from the phppass website, linked above. Put the PasswordHash.php file into your CI application/libraries directory.

在您的代码中，然后通过以下方式加载库： $ this-> ; load-> library（'PasswordHash'，array（8，FALSE））;

In your code, you then load the library via: $this->load->library('PasswordHash',array(8, FALSE));

c $ c> $ this-> PasswordHash-> HashPassword（$ password）;

Hashing passwords is then as simple as $this->PasswordHash->HashPassword($password);

要稍后检查密码是否正确，它很简单：

To later check if a password is correct, it is as simple as:

$password = $_POST['password'];
$actualPassword = /*Get the hashed password from your db*/;

$check = $this->PasswordHash->CheckPassword($password, $actualPassword);

我从 http://dev.myunv.com/articles/secure-passwords-with-phpass/ ，这给了你更多的信息。我修改了那个教程稍微利用CI的加载器，这就是为什么你不需要 include 或新语句。

I've taken this demo from http://dev.myunv.com/articles/secure-passwords-with-phpass/ which gives you a lot more informations. I've modified that tutorial slightly to utilize CI's loader which is why you don't need the include or new statements.

这篇关于使用代码Igniter存储密码的最安全的方法是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！