安全的密码生成和存储 [英] Secure password generation and storage
问题描述
我正在构建一个登录系统,并且我想确保我正在编写写入代码以在db中生成和存储密码。
这是我的代码生成一个哈希:
pre $ public function createPasswd($ options){
$ hash_seed ='m9238asdasdasdad31d2131231231230132k32ka¡2da12sm2382329';
$ password = $ options ['passwd'];
$ date = new DateTime();
$ timestamp = $ date-> getTimestamp();
$ rand_number = rand($ timestamp,$ timestamp + pow(91239193912939123912,3));
$ rand = pow($ rand_number,12);
$ salt = str_shuffle($ rand。$ hash_seed);
$ hash = crypt($ password,$ salt);
返回$ hash;
} //结束类createPasswd
我只将散列存储在数据库中,然后比较它与用户的密码如下所示:
$ $ p $ $ code if($ hash == crypt($ password,$ hash)){
echo'密码有效!';
} else {
echo'密码无效。';
}
这足够强吗?我是否错过了一些大问题? 解决方案
你不能正确使用crypt功能。 $ salt参数不应该是一个简单的随机字符串。
考虑这个例子:
echo crypt('password one','salt lorem ipsum dolor sit amet');
echo crypt('password two','salt');
两者都会返回相同的字符串! (sa3tHJ3 / KuYvI)
检查 http://php.net/ crypt)来获得更多关于如何使用$ salt的更多信息。
为了保持唯一的hash_seed代码,它还好得多(更安全?),然后在数据库中只存储一个包含密码和hash_seed的字符串的哈希(或其他算法)。
正确的实现将是:
define('SECRET_KEY','m9238asdasdasdad31d2131231231230132k32ka¡2da12sm2382329'); //越长越好
public function createPasswd($ options){
return hash('sha256',SECRET_KEY。$ options ['passwd']);
}
检查密码:
pre $
if($ stored_hash == hash('sha256',SECRET_KEY。$ password){
echo'Password is valid!';
} else {
echo'密码无效';
}
sha256 可以用系统中任何可用的算法来替换。获取完整列表:
var_dump(hash_algos()) ;
I'm building a login system and I want to be sure I'm writing the write code to generate and store passwords in the db. $options['passwd'] is the string selected as a password by the user.
This is my code to generate a hash:
public function createPasswd($options) {
$hash_seed = 'm9238asdasdasdad31d2131231231230132k32ka¡2da12sm2382329';
$password = $options['passwd'];
$date = new DateTime();
$timestamp = $date->getTimestamp();
$rand_number = rand($timestamp,$timestamp + pow(91239193912939123912,3));
$rand = pow($rand_number, 12);
$salt = str_shuffle($rand.$hash_seed);
$hash = crypt($password, $salt);
return $hash;
}//End class createPasswd
I just store the hash on the database and then compare it with user's password like the following:
if ($hash == crypt($password, $hash)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
Is this strong enough? Am I missing some big issue?.
Longer salt doesn't mean better protection. You don't use crypt function properly. $salt argument should not be a simple random string.
Consider this exemple :
echo crypt('password one', 'salt lorem ipsum dolor sit amet');
echo crypt('password two', 'salt');
Both will return the same string ! (sa3tHJ3/KuYvI)
Check http://php.net/crypt for more information about how to use $salt the correct way.
It's also much better (safer?) to keep an unique hash_seed code side and then store in the database only a sha hash (or other algo) of a string combining the password and your hash_seed.
Correct implementation would be :
define('SECRET_KEY', 'm9238asdasdasdad31d2131231231230132k32ka¡2da12sm2382329'); // longer is better
public function createPasswd($options) {
return hash('sha256', SECRET_KEY . $options['passwd']);
}
To check the password :
if ($stored_hash == hash('sha256', SECRET_KEY . $password) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
sha256 can be replaced with any available algorithms on your system. Get the complete list with :
var_dump(hash_algos());
这篇关于安全的密码生成和存储的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
