密码“盐” - 我在做对吗? [英] Password "salts" -- Am I doing it right?
问题描述
我想到,也许我的登录系统不像我以前那么安全。
首先,我要用你的话说明我在做什么。
I got to thinking that maybe my login system isn't as secure as I thought it was. So first, I'm going to explain to you, in words, what I am doing.
当用户注册时,会产生一个16个字符的盐。
我在一个名为salt的字段中将盐存储在数据库中
我存储散列密码+ salt(它们一起散列 hash(sha256,$ salt。$密码); )在一个名为密码的字段
When a user registers, a 16 character salt is generated.
I store the salt in the database in a field called "salt"
I store the hashed password+salt (they are hashed together hash("sha256", $salt.$password);) in a field called "password"
当用户尝试登录时,我获取密码字段和数据库中的salt字段,以及其他一些信息。
When a user attempts to log in, I fetch the "password" field and the "salt" field from the database, along with a few other things.
要检查他们是否正确输入密码,请执行以下操作:
To check if they entered their password correctly, I do this:
$hashed = hash("sha256", $row['salt'].$pass);
if ($row['password'] == $hashed) {
//success
($ row是从数据库获取的数组$ row ['salt']是数据库中的salt,$ pass是他们输入的密码,$ row [password]是散列的pass +盐在数据库中)
($row is the fetched array from the database. $row['salt'] is the salt in the database, $pass is the password they entered, and $row["password"] is the hashed pass+salt in the database)
我在想,而且看起来,我的盐提供很少(或没有)安全性好处。我的问题给大家只是这样:我的方法是否提供额外的安全性(或者甚至安全吗?)
I was thinking, and it looks to me that my salt offers little (or no) security benefits at all. My question to you all is just that: DOES my method offer additional security (or is it even secure it all?)
此外,我有一个第二个问题。 我想验证这个检查登录脚本不能被欺骗/欺骗,以便在没有密码的情况下进入某人的帐户。
In addition, I have a second 'question.' I want to verify that this "check login" script can't be spoofed/cheated in order to gain entry to someone's account without their password.
session_start();
require_once 'db_connect.php';
//If the session variable "id" isn't set (i.e. they aren't logged in)
if (!isset($_SESSION['id'])) {
//Check if they wanted to be "remembered" (so they have 2 cookies
if (isset($_COOKIE['rem_user']) && isset($_COOKIE['rem_pass']))
{
$query = "SELECT
id,
password,
auth,
email,
username
FROM users
WHERE
username='".$_COOKIE['rem_user']."'
AND active IS NULL"
$res = mysql_query( $query );
if (mysql_num_rows($res) == 1)
{
$row = mysql_fetch_array($res);
// If the "remember me" cookie containing their password
// is equal to the one in the database, log them back in.
if ($_COOKIE['rem_pass'] == $row['password'])
{
$_SESSION['id'] = $row['id'];
$_SESSION['username'] = $row['username'];
$_SESSION['auth'] = $row['auth'];
$_SESSION['email'] = $row['email'];
$logged_in = 1;
}
}
}
else
$logged_in = 0;
}
else
//Since the session variable "id" WAS set, they ARE logged in.
$logged_in = 1;
我认为登录的唯一方法是...
I would think that the only way to log in is...
- 欺骗会话变量,我不认为没有服务器访问是可能的
- 使用加密密码欺骗cookie +盐,我相信几乎不可能没有访问数据库。
反馈将不胜感激。我想确保我的系统是安全的。 :)
Feedback would be appreciated. I want to make sure my system is secure. :)
谢谢!
推荐答案
... 不要滚动您自己的安全。以下是上述的一些问题:
Okay, here it goes... do not roll-your-own security. Here are some issues with above:
-
散列密码存储为Cookie。
该cookie是一个SQL Injection Attack向量。
The cookie is an SQL Injection Attack vector.
使用SHx进行散列。 (使用bcrypt,scrypt,hmac等)
Uses SHx for hashing. (Use bcrypt, scrypt, hmac, etc.)
然后我停下来看。 #1显示这应该留给现有的测试/审核库。
And then I stopped looking. #1 shows that this should be left to an existing tested/vetted library.
这篇关于密码“盐” - 我在做对吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
