phpass | 易学教程

Using PHPass to hash password trouble

阅读更多关于 Using PHPass to hash password trouble

问题 I am using PHPASS to store password encrypted and compare when login. here is the code ob_start(); $userName = $password = ""; $userNameErr = $passwordErr = $loginErr = ""; $hasher = new PasswordHash(8, false); if (isset($_POST['subEmployee'])) { if (empty($_POST['user_name'])) { $userNameErr = "User name is required"; } else { $userName = check_input($_POST['user_name']); if (!preg_match("/^[0-9_a-zA-Z]*$/", $userName)) { $userNameErr = "Only letters, numbers and '_' allowed"; } } if (empty(

Registration page: Storing password using PHPASS

阅读更多关于 Registration page: Storing password using PHPASS

问题 I'm attempting to store my users passwords using phpass but I'm struggling to implement it correctly. I had working code but I was storing my password as text, which I've learned is not safe. According to phpbestpractices.org the most secure way is phpass, so away I went. I tried reading their tutorial but it is a little too far ahead of my skill range. The changes I made from my original code can be seen here: http://www.diffchecker.com/6gw4g2ps I apologize ahead of time if I completely

What is the benefit of a “random” salt over a “unique” salt?

阅读更多关于 What is the benefit of a “random” salt over a “unique” salt?

问题 I am currently writing a program and part of it involves securely creating password hashes to store in a database and I came across the phpass framework, which seems to be highly recommended. In phpass, they seem to go through great lengths to produce a salt that is as truly random as possible to be used for the hashes (e.g. reading from /dev/urandom). My question is, what is the benefit of doing this as opposed to simply using uniqid() ? Isn't the point simply to make sure that the salts

Can I access /dev/urandom with open_basedir in effect?

阅读更多关于 Can I access /dev/urandom with open_basedir in effect?

问题 I want to use phpass-0.3 in Codeigniter, but I get the following error due to open_basedir : A PHP Error was encountered Severity: Warning Message: is_readable() [function.is-readable]: open_basedir restriction in effect. File(/dev/urandom) is not within the allowed path(s): (/home/phginep:/usr/lib/php:/usr/local/lib/php:/tmp) Filename: phpass-0.3/PasswordHash.php Line Number: 51 Following code: function get_random_bytes($count) { $output = ''; if (is_readable('/dev/urandom') && //Line Number

Portable (PHPass) password hashes. Should I use them?

阅读更多关于 Portable (PHPass) password hashes. Should I use them?

问题 I'm installing a user registration script (Tank Auth) for my website. In the installation guide its says, WARNING: By default the library generates strong system-specific password hashes that are not portable. It means that once created, user database cannot be dumped and exported to another server. This behavior can be changed in config-file as well. This put me in a dilemma. In the future I may want to change servers but I don't want weak passwords either. Are portable password hashes a big

Checkpassword Issue with PHPass

阅读更多关于 Checkpassword Issue with PHPass

问题 I am using phpass for password encryption. When I am adding a user the password is getting hashed and being stored in the database. But when I try logging with the user credentials stored in the database checkpassword returns an empty string. Below given is the code I am using for checking the passwords. function PackageAccess($username,$password) { $db = new mysqli(DB_SERVER,DB_USER,DB_PASSWORD,DB_NAME) or die("Could not Connect"); $hasher = new PasswordHash(8,FALSE); $accessvalue = 0;

phpass fails on Authentication on certain passwords from phpBB3?

阅读更多关于 phpass fails on Authentication on certain passwords from phpBB3?

问题 Using either the phpass test program http://www.openwall.com/phpass/phpass-0.3.tar.gz , or python-phpass, and using C?*|Y[j"KQ'%gf for the plain text password, and $P$9kS6tD8tVxajypvJ5837.bt2emepD8/ as the hash, doing: <?php # # This is a test program for the portable PHP password hashing framework. # # Written by Solar Designer and placed in the public domain. # See PasswordHash.php for more information. # require 'PasswordHash.php'; header('Content-type: text/plain'); $t_hasher = new

保护PHP密码的哈希和盐值

阅读更多关于保护PHP密码的哈希和盐值

【推荐】2019 Java 开发者跳槽指南.pdf(吐血整理) >>> 当前据说MD5部分不安全。考虑到这一点，我想知道使用哪种机制进行密码保护。这个问题， “双重哈希”密码是否比仅哈希一次密码安全？建议多次散列可能是一个好主意，而如何对单个文件实施密码保护？建议使用盐。我正在使用PHP。我想要一个安全，快速的密码加密系统。将密码哈希一百万次可能更安全，但也更慢。如何在速度和安全性之间取得良好的平衡？另外，我希望结果具有恒定数量的字符。哈希机制必须在PHP中可用必须安全它可以使用盐（在这种情况下，所有盐都一样好吗？是否有任何方法可以生成优质盐？）另外，我是否应该在数据库中存储两个字段（例如，一个使用MD5，另一个使用SHA）？它会使它更安全或更不安全吗？如果我不够清楚，我想知道要使用哪个哈希函数以及如何选择合适的盐，以便拥有安全，快速的密码保护机制。尚未完全涵盖我的问题的相关问题： PHP中的SHA和MD5有什么区别简单密码加密安全的asp.net密钥，密码存储方法您将如何在Tomcat 5.5中实现盐腌密码 #1楼我正在使用 Phpass ，这是一个简单的单文件PHP类，几乎可以在每个PHP项目中轻松实现。另请参见 H。默认情况下，它使用Phpass中实现的最强大的可用加密，该加密是 bcrypt 并回退到MD5等其他加密

phpass CheckPassword using different salts?

阅读更多关于 phpass CheckPassword using different salts?

问题 I have a site with a user area and admin area. In the admin area, I have a page for creating users and a page for creating admins. On the users and admins pages, I used the code below to hash passwords: $hasher = new PasswordHash(8, false); $password = $HTTP_POST_VARS['password']; $hash = $hasher->HashPassword($password); $HTTP_POST_VARS['password'] = $hash; For the user page, the code to check the password is: $hasher = new PasswordHash(8, false); $check = $hasher->CheckPassword($password,

How can * be a safe hashed password?

阅读更多关于 How can * be a safe hashed password?

问题 phpass is a widely used hashing 'framework'. While evaluating phpass' HashPassword I came across this odd method fragment. function HashPassword($password) { // <snip> trying to generate a hash… # Returning '*' on error is safe here, but would _not_ be safe # in a crypt(3)-like function used _both_ for generating new # hashes and for validating passwords against existing hashes. return '*'; } Answer: we agree this class assumes that we test our hash for equality on * as a means of validating.