使用 Code Igniter 存储密码的最安全方法是什么?
我正在为我当前的项目使用 Code Igniter。
截至目前,我正在使用 MD5 进行密码散列,但我在很多地方读到,这样做不是一个好的做法。
我应该带什么去?
- 使用salt
- 或者我应该使用bcrypt
另外,如果推荐bcrypt,那么如何将它与Code Igniter一起使用?
编辑
我已将这些文件放入 application/libraries
- PasswordHash.php
- c/Makefile
- c/crypt_private.c
在我的控制器中,我正在使用此代码 -
$params = array(
'phpass_hash_strength' => 8,
'phpass_hash_portable' => FALSE
);
$this->load->library('PasswordHash', $params);
$password = $this->passwordhash->HashPassword($pwd);
我收到这些错误 -
A PHP Error was encountered
Severity: Notice
Message: Uninitialized string offset: 3
Filename: libraries/PasswordHash.php
Line Number: 116
A PHP Error was encountered
Severity: Warning
Message: strpos() [function.strpos]: Empty delimiter
Filename: libraries/PasswordHash.php
Line Number: 116
更新
已删除 PasswordHash .php,现在使用SimpleLoginSecure。
I am using Code Igniter for my current project.
As of now, I am using MD5 for password hashing, but I have read at a lot of places, that it is not a good practice to do so.
What should I go with?
- Using a salt
- Or should I use bcrypt
Also, if bcrypt is recommended, then how to use it with Code Igniter?
EDIT
I have put these files in application/libraries
- PasswordHash.php
- c/Makefile
- c/crypt_private.c
In my controller, I am using this code -
$params = array(
'phpass_hash_strength' => 8,
'phpass_hash_portable' => FALSE
);
$this->load->library('PasswordHash', $params);
$password = $this->passwordhash->HashPassword($pwd);
I am getting these errors -
A PHP Error was encountered
Severity: Notice
Message: Uninitialized string offset: 3
Filename: libraries/PasswordHash.php
Line Number: 116
A PHP Error was encountered
Severity: Warning
Message: strpos() [function.strpos]: Empty delimiter
Filename: libraries/PasswordHash.php
Line Number: 116
Update
Removed PasswordHash.php, using SimpleLoginSecure now.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
使用 bcrypt。这个讨论出现在这里在我的评论中回答。您可以使用 phppass 等库来真正简化密码加密。
关于盐的问题。使用它!否则,有人可以简单地访问此网站并下载涵盖绝大多数的彩虹表普通用户选择的密码。特别是考虑到过去几个月出现的所有安全漏洞,现在不是说您不会使用像随机盐这样简单的实现方式的时候。
更新
要将 PHPPass 与 CI 结合使用,请从上面链接的 phppass 网站下载并提取文件。将PasswordHash.php 文件放入您的CI application/libraries 目录中。
然后,在代码中,您可以通过以下方式加载库:
$this->load->library('PasswordHash',array(8, FALSE));哈希密码就像
$this->PasswordHash->HashPassword($password);要稍后检查密码是否正确,很简单:
我从 http://dev.myunv.com/articles/secure-passwords-with-phpass / 这为您提供了更多信息。我稍微修改了该教程以利用 CI 的加载器,这就是为什么您不需要
include或new语句。Use bcrypt. This discussion came up here in the comments to my answer. You can use a library such as phppass to really simplify the password encryption.
On the matter of salt. Use it! Otherwise somebody can simply go to this site and download the rainbow tables that will cover the large majority of passwords the average users chooses. Especially with all the security leaks in the last few months, now is not the time to be saying you won't use something as simple to implement as random salt.
UPDATE
To use PHPPass with CI, download and extract the files from the phppass website, linked above. Put the PasswordHash.php file into your CI application/libraries directory.
In your code, you then load the library via:
$this->load->library('PasswordHash',array(8, FALSE));Hashing passwords is then as simple as
$this->PasswordHash->HashPassword($password);To later check if a password is correct, it is as simple as:
I've taken this demo from http://dev.myunv.com/articles/secure-passwords-with-phpass/ which gives you a lot more informations. I've modified that tutorial slightly to utilize CI's loader which is why you don't need the
includeornewstatements.为什么要使用
md5(),因为它同样易于使用<代码>sha1()?Table 攻击的威胁
另外,对密码加盐始终是一个好主意,因为它可以有效消除 Rainbow 根据我的经验,加盐 SHA1 哈希对于 99% 的 Web 应用程序情况来说都是非常安全的。
why use
md5()when it is just as easy to usesha1()?Also salting the passwords is always a good idea as it effectively removes the threat of a Rainbow Table attack
In my experience a salted SHA1 hash is pleanty secure for 99% of web application situations.
自从提出这个问题以来,Code Igniter 已经发生了变化。但为了那些可能没有接触过 CI 的大量文档或以前没有见过这一点的人的利益,CI 有一个加密类,它使用 PHP 的 Mcrypt 库提供双向数据加密。
使用以下方法初始化类后:
您可以按如下方式加密:
并按如下方式解密:
CI 还具有不可解码的单向哈希:
有关详细信息,请参阅:
http://www.codeigniter.com/user_guide/libraries/encryption.html
Code Igniter has changed since the time this question was asked. But for the benefit of some who may not have come across the extensive documentation of CI or haven't seen this before, CI has an encryption class which provides a two-way data encryption using the Mcrypt library of PHP.
After initializing the class using:
You can encrypt as follows:
and decrypt as follows:
CI also has a non-decodable 1-way hashing:
For more information see:
http://www.codeigniter.com/user_guide/libraries/encryption.html