发表新帖
发表新帖

Passwords storage, hash() with sha-512 or crypt() with blowfish (bcrypt)?

后端 未结
关注
2 1669
无人及你
无人及你 2021-01-15 01:27

This is my current password hashing procedure in PHP/SQL projects...

  • Take 512bits of per-user salt from /dev/urandom, stored in the user\'s DB record in additi
相关标签:
2条回答
  • 余生分开走
    2021-01-15 01:49

    You are definitely on the right track, bcrypt is a very nice way to store your passwords (scrypt is better but hard to find a good implementation in PHP).

    Remember that sha1, sha256, sha512 were never made to hash passwords. They were designed to be fast, so that you could take large data sets and create a unique signature for them, in the shortest amount of time. They are used for signing more than anything else.

    You definitely want to use a hashing algorithm that takes more time.

    Side note: Some would argue that the pepper is pointless, since if they hack your system, they will have access to your salts and pepper.

    This post has some great insights into password security.

    0 讨论(0)
  • 悲&欢浪女
    2021-01-15 02:00

    If you can wait til php 5.5, there will be some helpful functions for this built in:

    https://gist.github.com/3707231

    Till then, use crypt - you could look at this forward compatible port of the new functions:

    https://github.com/ircmaxell/password_compat

    0 讨论(0)
 看不清?
提交回复
热议问题