PHP 中的密码安全
您认为哪种方法最安全?我从 php.net 上取下了这些片段。我只是想知道,因为人们发布了自己的内容,而我只是无法理解为什么有些人是这样的......有人可以帮助我并告诉我更多关于这些的信息吗?哪个最安全,为什么?
1.2.3.4.5
<?php
$hash = md5($salt1.$password.$salt2);
?>
<?php
function eliteEncrypt($string) {
// Create a salt
$salt = md5($string."%*4!#$;\.k~'(_@");
// Hash the string
$string = md5("$salt$string$salt");
return $string;
}
?>
<?php
define ('SALT_ONE', 'some_random_123_collection_&$^%_of_stuff');
define ('SALT_TWO', 'another_random_%*!_collection_ANbu_of_stuff');
$password = 'dragon';
function generate_encrypted_password($str) {
$new_pword = '';
if( defined('SALT_ONE') ):
$new_pword .= md5(SALT_ONE);
endif;
$new_pword .= md5($str);
if( defined('SALT_TWO') ):
$new_pword .= md5(SALT_TWO);
endif;
return substr($new_pword, strlen($str), 40);
}
echo generate_encrypted_password($password);
?>
<?
function enchsetenev($toencode,$times)
{
$salt = 's+(_a*';
for($zo=0;$zo<$times;$zo=$zo+1)
{
$toencode = hash('sha512',salt.$toencode);
$toencode = md5($toencode.$salt);
}
return $toencode;
}
?>
.
<?php
$hash = $password . $salt;
for ( $i = 0; $i < 10000; $i++ ) {
$hash = md5( $hash );
}
echo $hash;
?>
What method would you call safest and most secure? I took these snippets off php.net. I'm just wondering because people posted their own and I just couldn't catch on to understand why some are the way they are... Can someone help me out and tell me a little more about these? Which would be the most secure and why?
1.
<?php
$hash = md5($salt1.$password.$salt2);
?>
2.
<?php
function eliteEncrypt($string) {
// Create a salt
$salt = md5($string."%*4!#$;\.k~'(_@");
// Hash the string
$string = md5("$salt$string$salt");
return $string;
}
?>
3.
<?php
define ('SALT_ONE', 'some_random_123_collection_&$^%_of_stuff');
define ('SALT_TWO', 'another_random_%*!_collection_ANbu_of_stuff');
$password = 'dragon';
function generate_encrypted_password($str) {
$new_pword = '';
if( defined('SALT_ONE') ):
$new_pword .= md5(SALT_ONE);
endif;
$new_pword .= md5($str);
if( defined('SALT_TWO') ):
$new_pword .= md5(SALT_TWO);
endif;
return substr($new_pword, strlen($str), 40);
}
echo generate_encrypted_password($password);
?>
4.
<?
function enchsetenev($toencode,$times)
{
$salt = 's+(_a*';
for($zo=0;$zo<$times;$zo=$zo+1)
{
$toencode = hash('sha512',salt.$toencode);
$toencode = md5($toencode.$salt);
}
return $toencode;
}
?>
5.
<?php
$hash = $password . $salt;
for ( $i = 0; $i < 10000; $i++ ) {
$hash = md5( $hash );
}
echo $hash;
?>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
如果将第一个示例更改为:
这对于 99% 的应用程序来说足够安全。
唯一的问题是如何产生盐。我建议使用固定盐($salt2)和为每个用户生成的盐($salt1),该盐与密码一起存储在数据库中。
这样,即使有人检索了您数据库的内容,您也可以非常安全地抵御彩虹表攻击。
If you change the first example to :
this will be secure enough for 99% of the application.
The only question is how to generate the salt. I recommend a fixed salt ($salt2) and on salt generated for each user ($salt1) which is stored in the database along the password.
This way you're pretty secure against rainbow table attack even if someone retrieves the content of your database.
更好的选择是使用 md5 以外的其他内容,请检查此处 之前回答过与此相关的问题。
A better option is to use something other than md5, check here for a previously answered question relating to this.
对此没有标准的好答案。我所知道的是,安全性和速度必须保持平衡。您可以使用 AES 加密所有信息,但这可行吗?回答你的问题MD5(这是一种加密方式)加上SALT(一个真正随机的字符串)被认为是一个很好的安全标准。它恰好是最快且足够安全的。
如果您尝试实现自己的加密,那么这就像魔术一样,您将电线缠绕太多次,但只要拍一下手腕,它就会解开。因此,除非您想对这个想法进行理论化和论证,否则请选择 SALT+MD5。
there is no standard good answer for this. What I do know is that security and speed has to be balanced. You could AES encrypt every information but would that be feasible? To answer your question MD5 (which is one way encrypt) plus SALT (a really random string) is considered a good standard of security. It just happens to be fastest and secure enough.
If you try to implement your own encryption and what not it will be like that magic trick where you entangle the wire too many times and yet it comes undone with wrist slap. So go for SALT+MD5 unless you want to theorize and thesis-fy the idea.
我认为这符合大部分目的,所以我将对其进行解释。有两个盐的原因是因为可以说 $salt1 对于每个用户名都是唯一的,因此它是用户表中的一列(用户注册时生成的随机字符串),$salt2 存储在文件系统上的 config.ini 文件中的某个位置,该文件是在以下时间创建的该应用程序已安装,并且对于所有用户都是相同的。现在猜测密码黑客将需要$salt1和$salt1,他可以通过sql注入访问salt1,但无法访问salt2存储在config.ini中的文件系统,因此双重保护。
This one I think suits most of the purpose so I will explain it . Reason there are two salt are because lets say $salt1 is unique to every username hence its an column in the user table (a random string generated when user registers), $salt2 is stored on filesystem somewhere in config.ini file which was created when the application was installed and its same for all users . Now to guess the password hacker will need $salt1 and $salt1 , he can have access to salt1 through sql injection , but not have access to filesystem where salt2 is sotred inside config.ini hence double protection .
难道只是用 5 种不同的方法来做几乎相同的事情吗?我认为这里的学习目标是了解加盐密码的重要性。加盐的最好方法是使用尽可能多的盐,并且盐字符串包含尽可能多的疯狂字符。
Is it just 5 different ways to do almost the same? I think the learning objective here is to understand the importance of salting passwords. The best way to salt is to use as much salt as possible and the salt string includes as many crazy characters as possible.