Why is the PHP crypt() function returning the same thing for two different strings?

后端未结

关注

 3  1948

栀梦 2021-01-22 23:49

I\'m using PHP\'s crypt function for password hashing/encryption, but I don\'t think I am doing it right because \"nathan12\" and \"nathan123\" both allow me to log

3条回答

清酒与你 (楼主)

2021-01-23 00:27
You should use more than just a password salt to encrypt passwords.

You can store a random string in your configuration file.
```
$config['passwordKey'] = 'asjdfa783#H$Khjsdfhas78a734J%JSDGK2348235hxmfdA';
```
And append it to $salt when encrypting. This way if the database is compromised, and your file system is not, then attackers can't decrypt your database password hashes. This should be essential to protect the users information on other sites with identical login information.

To hash your passwords, password_hash is a simple crypt() wrapper specially configured for password hashing! (source)
```
$password = password_hash($password, PASSWORD_BCRYPT, array(
    'cost' => 60,
    'salt' => $salt . $config['passwordKey']
));
```
0 讨论(0)

查看其它3个回答
发布评论:

提交评论
- 加载中...