可能重复:
PHP密码的安全散列和salt
我尝试创建一个函数,使用haval160,4哈希算法用salt对我的密码进行哈希。但我不明白这是安全问题。我提供以下代码:
请告诉我如何改进安全系统。
<?php
defined("SALT")? NULL : define("SALT", "abcdefthijklmnopqursuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*/'|[]{}()~!@#$%^&*_+:.,;1234567890");
function createSalt(){
static $random_string;
for($i=0;$i<64;$i++){
$random_string .= substr(str_shuffle(SALT), 0,25);
}
return $random_string;
}
global $salts;// I want to store the salt value into my database with password
$salt = createSalt();
$salts = $salt;//I keep this cause I will check the matching password without database
function createPassword($input_data,$salt){
static $hash;
$cryc = crypt($input_data,$salt);
$hash = hash("haval160,4",$cryc);
return $hash;
}
$password = createPassword("123456",$salt);
$stored_password = $password ; // I stored value into a variable cause I want to test without database
//echo $password.'<hr>';
echo "Your Password: ".$password;
echo "<br/> Your SALT VALUE: ".$salt.'<hr>';
function checkPassword($uid,$password,$salts,$stored_password){//this is just a test function... actual function don't require $salts and $stored_password
$db_uid = 1 ;
if($uid === $db_uid){
$db_salt = $salts;
$db_password = createPassword($password,$db_salt);
if($db_password == $stored_password){
echo "Password Match";
}else{
echo"password don't match";
}
}
}
checkPassword(1,"123456",$salts,$stored_password);
?>
您不应该设计自己的加密算法。
使用此bcrypt实现:http://www.openwall.com/phpass/
require '../PasswordHash.php';
$hasher = new PasswordHash($hash_cost_log2=2, $hash_portable=false); // increase the first parameter if you need it to be slower (more secure)
// Create hash
$hash = $hasher->HashPassword($pass);
// Check password
$hasher->CheckPassword($pass, $hash);
这是尽可能安全的,不要麻烦寻找"更安全"的东西,也不要试图添加盐或其他任何东西。