All said MD5 unsafe, seemingly often said to use SHA1 () encryption more secure, and even useful a call bcrypt algorithm, you phper usually how to choose?
Reply content:
All said MD5 unsafe, seemingly often said to use SHA1 () encryption more secure, and even useful a call bcrypt algorithm, you phper usually how to choose?
Master you can use md5
or sha1
carry out preliminary processing, but in order to be more secure, please add two at the same time salt
, a static salt
, a dynamic salt
. Take md5
for example:
Assuming that POST
the password is passed $_POST['password']
in, the DB
following actions should be performed before depositing:
$password = hash('md5', $_POST['password'].$staticSalt.$dynamicSalt);
To ensure salt
the uniqueness of the dynamic, you can do this:
$dynamicSalt = hash('md5', microtime());
For dynamic salt
can be saved in with the generated password DB
, and static salt
can be placed directly in the class file (for example, defined as a static property).
First of all, thank you for taking my answer, but my previous answer is not the best answer, the reason for this encryption is the idea that the source code may be older, so it does not use the newer version of the encryption method, such as bcrypt
.
In addition, 2nd, thanks to the comments of several predecessors of the point, already understand that the meaning of setting static is not salt
big, to generate a longer dynamic salt
can already solve the problem.
LZ should be added salt hash.
How to "pickle" the password?
=_,=
The correct format should be that the user password+ the dynamic salt
The dynamic salt does not use the Microtime, as the 2L says, because time is not random enough in some cases and is likely to be guessed.
I recommend a salt hash I use.
$salt=base64_encode(mcrypt_create_iv(32,MCRYPT_DEV_RANDOM));$password=sha1($register_password.$salt);
Explain:
First, use MCrypt to generate random number functions that are randomly generated by the computer and specifically encrypted by the user.
The second step is to encrypt the resulting random number through Base64, making it longer and not conducive to guessing.
In the third step, the resulting salt is stitched to the back of the password and then hashed with the SHA1.
The password is then credited to the user's database.
PS: Why not use a static salt? It is not necessary to use a dynamic random long enough salt to suffice.
Why not MD5? Because the length is not enough.
Why not use multiple hashes? Because it is easy to collide.
How to use "pickled" good password after hash good?
User Registration--Submit password--Generate salt-> preserved password into the database->salt stored in the database.
User Login--Submit password----call salt after the commit password, make a hash-> call before you register a pickled password--vs. hash value is the same as this password
Finally recommended an article, I benefited from it, I hope the LZ also has a harvest.
http://blog.jobbole.com/61872/
You can try Phpass.
The way to hash a password is relatively secure by using the bcrypt algorithm. The Open source Phpass library provides this functionality in an easy-to-use class.
This is my previous write about password encryption blog post, welcome reference.
Http://www.wkii.org/save-user-password-use-bcrypt-or-pbkdf2.html
Also, refer to php5.5 's built-in functions
http://www.php.net/manual/zh/function.hash-pbkdf2.php
I wrote the PBKDF2 with the output of the php5.5 function in accordance with the results.