Going from unsalted to salted MD5 passwords

后端 未结 12 812
臣服心动
臣服心动 2021-02-07 02:56

I have a LAMP (PHP) website which is becoming popular.

I played it safe by storing the user passwords as md5 hashes.

But I now see that\'s not secure; I should h

12条回答
  •  囚心锁ツ
    2021-02-07 03:49

    If you're moving away from MD5, you should go skip simply salting and go to an even better technique called stretching. In particular you should use bcrypt (implemented as PHPASS with php).

    Here is a great link on why bcrypt: http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html

    And here is a short How To: 1. Download the phpass package: http://www.openwall.com/phpass/ 2. Look at test.php for examples like the one below:

    require 'PasswordHash.php';
    $t_hasher = new PasswordHash(8, FALSE);
    $correct = 'plaintextpassword';
    $hash = $t_hasher->HashPassword($correct);
    $check = $t_hasher->CheckPassword($correct, $hash);
    

    If $check===true (which is the case above) then the password is correct. If your password is 'hello', you would hash it using HashPassword, put the hash in a database, and when a user logs in, call CheckPassword(userenteredpassword,hashInDb) to see if the password is correct

提交回复
热议问题