PHP.net 说 md5() 和 sha1() 不适合密码?
http://www.php.net/manual/en /faq.passwords.php#faq.passwords.fasthash
我将用户密码以哈希形式存储在 MySQL 数据库中。这是否意味着这样做不安全?如果是,我有什么选择?
http://www.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash
I'm storing user passwords in a MySQL database in hash form. Does this mean that it is unsafe to do so? If it is, what are my alternatives?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
正如您链接到的页面所建议的那样,请使用带有 Blowfish 算法的 PHP
crypt()
函数。另外,每次调用 crypt() 时都使用不同的盐。您可以将盐值与密码存储在同一个数据库表中,以便稍后比较密码时可以使用它。要使用 Blowfish 算法调用
crypt()
,请使用以$2a$
开头的盐,后跟 04 到 31 之间的数字(“成本参数”),后跟$
,然后是字母表中的 22 位数字./0-9A-Za-z
。PHP: crypt 手册 包含有关如何使用
的更多详细信息加密()
As the page you linked to recommends, use the PHP
crypt()
function with the Blowfish algorithm. Also, use a varying salt for each call tocrypt()
. You can store the salt values in the same database table as the password, so that it can be used when you compare the passwords later.To call
crypt()
with the Blowfish algorithm, use a salt that begins with$2a$
, followed by a number (the "cost parameter") between 04 and 31, followed by a$
, and then 22 digits from the alphabet./0-9A-Za-z
.The PHP: crypt manual contains more details on how to use
crypt()
阅读链接的下一部分:如果常见的哈希函数不合适,我应该如何对我的密码进行哈希处理?
Read the next section of the link: How should I hash my passwords, if the common hash functions are not suitable?
有关为什么使用普通、无盐 MD5 进行密码散列不是一个好主意的具体示例,请尝试将一些相当常见的密码的 MD5 散列输入到诸如 md5decrypter.co.uk 或 md5hashcracker.appspot.com 或 md5this.com。或者直接进入 Google,对大多数此类网站建立索引(还有许多其他网站)。
For a concrete example of why using plain, unsalted MD5 for password hashing is a bad idea, try entering the MD5 hashes of some reasonably common passwords into a site like md5decrypter.co.uk or md5hashcracker.appspot.com or md5this.com. Or just into Google, which indexes most of those sites (and many others too).
您链接到的常见问题解答中的下一个问题对此进行了讨论:如何如果常见的哈希函数不合适,我应该对密码进行哈希处理吗?
来自常见问题解答:
接下来的问题是关于盐的。
The next question in the FAQ you linked to discusses it: How should I hash my passwords, if the common hash functions are not suitable?
From the FAQ:
The question following that is about salt.
之前已经回答过很多次了。您可以使用 SHA-256 http://php.net/manual/en/function .hash.php 但你还应该在对密码进行哈希处理之前对密码加盐,并且你可以迭代地对密码进行哈希处理 - 因此,在不太可能的情况下,它被破解,它只会显示另一个哈希值(换句话说,破解密码需要花费很多时间更长)。
Has been answered many times before. You can use something like SHA-256 http://php.net/manual/en/function.hash.php but you should also salt the password before hashing it and you can iteratively hash the password - so in the unlikely event it is cracked it will only reveal another hash (in other words, cracking the password takes much longer).