PHP 不同的单向哈希密码安全性

发布于 2024-09-16 19:50:06 字数 186 浏览 11 评论 0原文

我想使用不同的可用方法以及它们的组合来散列 PHP 中的密码,以获得越来越多的安全性。 我想知道这是否有效..?

$pass = "***";
$salt = "!@)#%%@(#&@_!R151";
$pass = sha1($pass.$salt);
$pass = md5($pass);

I was wondering to hash the password in PHP using different methods available and the combination of them for more and more security.
I was wondering if this would work..?

$pass = "***";
$salt = "!@)#%%@(#&@_!R151";
$pass = sha1($pass.$salt);
$pass = md5($pass);

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

枉心 2024-09-23 19:50:06

相反,您可以使用更强的哈希算法,例如 sha512 以及强盐和 UserID 的组合:这样做:

 echo hash('sha512', 'MyPassword' . $StrongSalt . $UserID);

SHA512 实际上是 SHA-2,没有发现冲突。请参阅维基百科

Rather than that, you can use a stronger hashing algorithm like sha512 with combination of a strong salt and UserID: Do it like this:

 echo hash('sha512', 'MyPassword' . $StrongSalt . $UserID);

SHA512 is actually SHA-2 for which there are no collisions found. See at wikipedia.

固执像三岁 2024-09-23 19:50:06

没有。组合不会增加任何安全性。
实际上你让它变得不那么安全了。理论上是这样,但无论如何。

我有一种感觉,哈希问题被高估了。
没有人关心任何其他安全问题,但每个人都渴望让哈希值在十亿年内牢不可破。放松点,伙计。还有数千种其他方法可以破坏您的应用程序。

Nope. Combinations do not add any security.
Actually you made it less secure. Theoretically, but anyway.

I have a feeling that hashing issues are way overestimated.
Nobody concerns in any other security issue but everyone anxious to make a hash unbreakable in a billion years. Relax, buddy. There are thousands other ways to break your app.

东风软 2024-09-23 19:50:06

我想添加盐就足够了,但如果你想要更多,可以这样做:

sha1($salt. sha1($salt. $pass));

并让 $salt 包含一些非打印字符、任意二进制数据或类似的东西。

再说一次,我想这不会增加太多,因为我看到的实现只添加了 $salt,但为什么不为未来的时代提供更多的安全性:)

I guess adding a salt is enough, but if you want more maybe do:

sha1($salt. sha1($salt. $pass));

and let $salt contain some non-printed chars, arbitrary binary data or anything like that.

Again, I guess this won't add much since implementation I saw only add $salt, but why not more security for the coming ages : )

荭秂 2024-09-23 19:50:06

您的密码很可能永远不会 100% 安全。

尝试查看 nonce。 应为每个单独的用户生成该随机数。

Your passwords will most likely, never be 100% secure.

Try looking at a nonce. Which should be generated for each individual user.

柠檬色的秋千 2024-09-23 19:50:06

如果你要这样做,不要只对结果进行 MD5:

$pass = "***";
$salt = "!@)#%%@(#&@_!R151";
$pass = sha1($pass.$salt);
$pass = md5($pass);

相反,对结果和输入运行 md5...

$pass = "***";
$salt = "!@)#%%@(#&@_!R151";
$tmp = sha1($pass.$salt);
$pass = md5($tmp . $pass . $salt);

原因是,如果你这样做 md5(sha1( )),你基本上增加了碰撞的机会。原因是所有 sha1 冲突都会自动成为 md5 调用中的冲突(因此它是冲突的超集)。通过重新输入密码和盐,您可以防止这种情况发生,从而创建一个“更强”的散列而不是更弱的散列......

IF you are going to do this, don't just MD5 the result:

$pass = "***";
$salt = "!@)#%%@(#&@_!R151";
$pass = sha1($pass.$salt);
$pass = md5($pass);

Instead, run md5 on the result and the inputs...

$pass = "***";
$salt = "!@)#%%@(#&@_!R151";
$tmp = sha1($pass.$salt);
$pass = md5($tmp . $pass . $salt);

The reason is that if you do md5(sha1()), you're basically increasing the chances of collision. The reason is that all sha1 collisions would automatically be collisions in the md5 call (hence it's a superset of the collisions). By re-entering the password and salt, you're preventing that from happening, and hence creating a "stronger" hash rather than a weaker one...

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文