基本的PHP pbkdf2哈希 [英] basic php pbkdf2 hashing

问题描述

我对PHP比较陌生，刚开始掌握关于哈希密码（我认为是什么？）的盐点。无论如何，这是我的问题......

现在我有一个带有用户名，密码，salt字段的mysql数据库。密码字段长度为64个字符，盐字段为3个字符。在注册时，每个用户名都被分配一个随机盐。我对此没有任何问题（我相信）。首先，通过以下方式对用户期望的密码进行散列：

  $ hashedinput = hash（'sha256'，$ input）; 
  

然后按照以下步骤将用户所需的密码与pbkdf2中包含的salt进行散列，然后输入数据库：

  $ password = pbkdf2（'sha256'，$ hashedinput，$ salt，10000，64）; 
  

我的问题是登录。数据库到用户输入的密码，它总是回来！=。以下是我来验证登录：

  $的UserData = mysql_fetch_array（$搜索，MYSQL_ASSOC）; 
 $ inputhash = hash（'sha256'，$ input）; //从表单
 $ salt = $ userData ['salt']; // Salt from DB 
 $ password = pbkdf2（'sha256'，$ inputhash，$ salt，10000，64）; 
 $ knownpassword = $ userData ['password']; //从DB 
知道密码 

因此，为了排除故障，我回显了所有输出，这就是它看起来像当我输入正确的密码（并没有登录我）：

输入密码：3d8bc905668c1a1cca5b53a78941d3ca4673e12df6ac5e98e19fa47b153406f6e66913e43bf60478907ca07429b0cf90c808ce2097e0544cc44d298bfb7b85ad

'p> DB密码：3d8bc905668c1a1cca5b53a78941d3ca4673e12df6ac5e98e19fa47b153406f6

注意，输入密码具有第一64个字符是正确的，但它仍然会持续128个字符总。数据库密码只有64位。

感谢您提前！

解决方案

<一段时间后，Thomas Ptacek 写了一篇很棒的文章，稍后详细解释了盐是什么，为什么它是有用的，并给了你需要记住密码散列系统的＃1规则：

使用他人的密码系统。不要自己创建。

如果您要在应用程序中使用PHP 5.5，请使用新的 password_hash API;如果不是，请确保至少使用PHP 5.3并使用 password_hash userland兼容性库 。它们旨在为您解决这些问题。

I am relatively new to php, and just beginning to grasp the point of salt when it comes to hashing passwords (I think?). Anyways, here's my problem...

Right now I have a mysql database with a username, password, salt field. The password field length is 64 chars, the salt field is 3 chars. Upon registry, each username is assigned a random salt. I am not having any issues with this (I believe). First, the user's desired password is hashed via:

$hashedinput = hash ('sha256', $input);

The user's desired password is then hashed with the salt included with pbkdf2 by the following procedure, and entered in the database:

$password = pbkdf2('sha256', $hashedinput, $salt, 10000, 64);

My problem is the log in. When comparing the hashed password in the database to the password the user inputs, it always comes back !=. Here is what I do to validate login:

$userData = mysql_fetch_array($search, MYSQL_ASSOC);
$inputhash = hash('sha256', $input); // From Form
$salt = $userData['salt']; // Salt from DB
$password = pbkdf2('sha256', $inputhash, $salt, 10000, 64);
$knownpassword = $userData['password']; // Known password from DB

So, to troubleshoot I echo'd all the outputs and this is what it looks like when I enter the CORRECT password (and it doesn't log me in):

Input password: 3d8bc905668c1a1cca5b53a78941d3ca4673e12df6ac5e98e19fa47b153406f6e66913e43bf60478907ca07429b0cf90c808ce2097e0544cc44d298bfb7b85ad

DB password: 3d8bc905668c1a1cca5b53a78941d3ca4673e12df6ac5e98e19fa47b153406f6

Note that the input password has the first 64 characters correct, but it continues to go on for 128 chars total. The DB password is just 64.

Thanks ahead of time!

解决方案

Thomas Ptacek wrote a great article a while back explaining - in some detail - what salt is, why it's useful, and gave the #1 rule you need to memorize regarding password hashing systems:

Use someone else’s password system. Don’t build your own.

If you are going to be using PHP 5.5 in your application, use the new password_hash API; if you're not, make sure you're using at least PHP 5.3 and use the password_hash userland compatability library. They are designed to take all the pain out of this for you.

这篇关于基本的PHP pbkdf2哈希的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！