当前位置: 文江博客话题详情

密码哈希算法

发布于 2024-11-25 08:01:20 字数 198 浏览 3 评论 0原文

我对哈希密码不太了解,但我想知道。我想知道以下算法对于没有信用卡信息或类似信息的普通网站有多好,我也想知道如何改进它。 算法是:

hash('sha512', crypt(hash('whirlpool', $password.$username), base64_encode(md5(strlen($password)))))
原文

I don't know much about hashing passwords, but I'd like to know. I'd like to know how good the following algorithm is for a normal site without credit card information or something like that, and I also want to know how to improve it.
The algorithm is:

hash('sha512', crypt(hash('whirlpool', $password.$username), base64_encode(md5(strlen($password)))))

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

何其悲哀 2024-12-02 08:01:20

不要混合超过一种哈希值,每种哈希值都经过优化,可以单独发挥最佳作用。

根据您使用该哈希的内容,将 $password 放入其中也是一个非常糟糕的主意。如果它存储在用户的计算机上,即存储在 cookie 中。你不希望它在那里。

如果将哈希存储在数据库中,您还可以通过在使用哈希算法之前添加动态随机字符串来使其更好。然后将为用户每次访问生成一个新的哈希值。

Don't mix more than one hash, each one is optimized to work best by itself.

Depending on what you are using that hash for it's also a very bad idea to put $password in it. If it is being stored on the user's computer that is, like in a cookie. You don't want that in there.

If you store the hash in a database you can also make it better by adding a dynamic random string before using the hashing algorithm. Then a new hash will be generated for the user each visit.

回复 原文
青朷 2024-12-02 08:01:20

我强烈建议使用众所周知的、经过测试的、经过审查的哈希/加密函数,而不是任何本土的算法。

I would highly recommend using a well-known, tested, vetted hash/crypt function over any home-grown algorithm.

回复 原文
浪菊怪哟 2024-12-02 08:01:20

这是我创建的一个类,用于存储我集成的 api 的 ID/密码组合。每个用户都可以拥有自己独特的凭据。我不建议在不兼容 PCI 的计算机上存储任何信用卡数据。

这正是我的课程,但你们有一些缺失的部分,所以我已经对它们进行了评论。请注意,该向量是唯一的(将其视为哈希),我将其与加密数据一起存储在数据库中。

密钥位于公共目录之外,这涉及到保护您的盒子的另一个主题。

<?php
// This is on my index page but added here so you see all constants.
define('DIR', dirname(__FILE__) . '/');


class locker {
  private $algorithm = MCRYPT_RIJNDAEL_256;
  private $key;
  private $mode = MCRYPT_MODE_CBC;
  public $iv;  // Public so we can change to the one used to encrypt it.

  public function __construct()
  {
    // Lets include our key
    // The key is located Outside of the public directory.
    $this->key = file_get_contents(DIR .'../keys/passphrase.key');
    // Create the initialization vector for added security.
    $this->iv = mcrypt_create_iv(mcrypt_get_iv_size($this->algorithm, MCRYPT_MODE_ECB), MCRYPT_RAND);
  }

  public function encrypt($string)
  {
    return base64_encode(mcrypt_encrypt($this->algorithm, $this->key, base64_encode($string), $this->mode, $this->iv));
  }

  public function decrypt($string)
  {
    return base64_decode(mcrypt_decrypt($this->algorithm, $this->key, base64_decode($string), $this->mode, $this->iv));
  }

  // Helper functions so you can see what you can do on your own box.
  public function list_modes()
  {
    print_r(mcrypt_list_modes());
  }

  public function list_algorithms()
  {
    print_r(mcrpt_list_algorithms());
  }
}
?>

<?php
//Example usage
$locker = new locker;
$pass = $locker->encrypt('passwordvalue');
$iv = $locker->iv;

// Decrypt it
$locker = new locker;
$locker->iv = $iv;
$pass = $locker->decrypt($pass);
?>

Here is a class that I created to store a id/password combos for an api I integrate with. Each user can have their own unique credentials. I do not advise storing any credit card data on a non PCI compliant computer.

This is my exact class but you have some missing pieces so I have commented those. Please note that the vector is unique (Think of it as a hash) and I store that in the database along with the encrypted data.

The key is out of the public directory which goes to another topic of securing your box.

<?php
// This is on my index page but added here so you see all constants.
define('DIR', dirname(__FILE__) . '/');


class locker {
  private $algorithm = MCRYPT_RIJNDAEL_256;
  private $key;
  private $mode = MCRYPT_MODE_CBC;
  public $iv;  // Public so we can change to the one used to encrypt it.

  public function __construct()
  {
    // Lets include our key
    // The key is located Outside of the public directory.
    $this->key = file_get_contents(DIR .'../keys/passphrase.key');
    // Create the initialization vector for added security.
    $this->iv = mcrypt_create_iv(mcrypt_get_iv_size($this->algorithm, MCRYPT_MODE_ECB), MCRYPT_RAND);
  }

  public function encrypt($string)
  {
    return base64_encode(mcrypt_encrypt($this->algorithm, $this->key, base64_encode($string), $this->mode, $this->iv));
  }

  public function decrypt($string)
  {
    return base64_decode(mcrypt_decrypt($this->algorithm, $this->key, base64_decode($string), $this->mode, $this->iv));
  }

  // Helper functions so you can see what you can do on your own box.
  public function list_modes()
  {
    print_r(mcrypt_list_modes());
  }

  public function list_algorithms()
  {
    print_r(mcrpt_list_algorithms());
  }
}
?>

<?php
//Example usage
$locker = new locker;
$pass = $locker->encrypt('passwordvalue');
$iv = $locker->iv;

// Decrypt it
$locker = new locker;
$locker->iv = $iv;
$pass = $locker->decrypt($pass);
?>
回复 原文
甩你一脸翔 2024-12-02 08:01:20

如果你想要强大的东西。你必须
- 永远不要保存密码,而是保存哈希值(不需要太多)以避免数据库黑客使用密码。

  • 并且从不询问密码,而是询问密码散列+盐的散列(例如日期)以避免播放攻击

If you want something strong. you have to
- never save the password but a hash (don't need so much) to avoid db hack use of password.

  • and never ask for the password but for a hash of the pasword hash + salt (the date for example) to avoid playback attack
回复 原文
软甜啾 2024-12-02 08:01:20

尝试我编写的这个(非常易于使用)类,其中包括自动算法检测,以获得您的服务器支持的最安全的算法:

try this (very easy to use) class I wrote which includes automatic algorithm detection to get the most secure algorithm that your server supports: http://netentwicklung.wordpress.com/2012/06/17/87/

回复 原文
~没有更多了~

关于作者

蓬勃野心

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

苦中寻乐

文章 0 评论 0

lueluelue

文章 0 评论 0

嗼ふ静

文章 0 评论 0

王权女流氓

文章 0 评论 0

与花如笺

文章 0 评论 0

残酷

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文