Password
Direct MD5 and SHA1 unsafe!!!
Crypt () and Hash_equals ():
http://php.net/manual/zh/function.crypt.php
<?php// crypt()和hash_equals()$pwds = [‘123456‘, ‘123456‘, ‘123456‘, ‘aaa‘, ‘_123456789zxcvbnmasdfghjklqwertyuiop‘];function get_random_bytes($size){ return function_exists(‘random_bytes‘) ? random_bytes($size) : mcrypt_create_iv($size);}function get_salt($size){ return substr(strtr(base64_encode(get_random_bytes(32)), ‘+‘, ‘.‘), 0, $size);}/**MD5:12位的salt,只有8位随机($1$ + 8位 + $)*/$t_s = microtime(true);foreach ($pwds as $key => $pwd) { $t1 = microtime(true); $hashed_pwd = crypt($pwd, ‘$1$‘.get_salt(8)); $t2 = microtime(true); var_dump($pwd, $hashed_pwd); if (hash_equals($hashed_pwd, crypt($pwd, $hashed_pwd))) { echo ‘Password is valid!‘; } else { echo ‘Invalid password.‘; } $t3 = microtime(true); var_dump($t2-$t1, $t3-$t2); echo "
Password_hash () and password_verify () (quite slow, make the security demands very high when used.) ):
http://php.net/manual/zh/function.password-hash.php
<?php// password_hash()和password_verify()$pwds = [‘123456‘, ‘123456‘, ‘123456‘, ‘aaa‘, ‘_123456789zxcvbnmasdfghjklqwertyuiop‘];/** * 我们想要使用默认算法散列密码 * 当前是 BCRYPT,并会产生 60 个字符的结果。 * * 请注意,随时间推移,默认算法可能会有变化, * 所以需要储存的空间能够超过 60 字(255字不错) */$t_s = microtime(true);foreach ($pwds as $key => $pwd) { $t1 = microtime(true); $hashed_pwd = password_hash($pwd, PASSWORD_DEFAULT); $t2 = microtime(true); var_dump($pwd, $hashed_pwd); if (password_verify($pwd, $hashed_pwd)) { echo ‘Password is valid!‘; } else { echo ‘Invalid password.‘; } $t3 = microtime(true); var_dump($t2-$t1, $t3-$t2); echo "
Tokens and Sale
http://php.net/manual/zh/function.random-bytes.php#118932
I used below function to create random tokens, and also a salt from the token. I used it in my application to prevent CSRF attack.
<?phpfunction Randomtoken ($length = +) {if (!isset ($length) | | intval ($LENGTH) <= 8) {$length = 32; } if (Function_exists (' random_bytes ')) {return Bin2Hex (Random_bytes ($length)); } if (Function_exists (' Mcrypt_create_iv ')) {return Bin2Hex (Mcrypt_create_iv ($length, mcrypt_dev_urandom)); } if (Function_exists (' openssl_random_pseudo_bytes ')) {return Bin2Hex (Openssl_random_pseudo_bytes ($length)); }}function Salt () {return substr (STRTR (Base64_encode (Hex2bin (32)), ' + ', '. '), 0, 44);} Echo (Randomtoken ()), echo "
PHP Password and token