1

I initially used MD5 when i first started out coding to hash user passwords.

 $password1 = md5($password);

After reading countless of pages with different opinions, what shall i be using? crypt,SHA1,SHA256... here is an example of how i revised code by using SHA1 and static salting.

$salt = '324912343223942833294328432392';
$passwordarray = str_split($password,2);
$password1 = sha1($passwordarray[0].$salt.$passwordarray[1]);
//insert $password1 into database

when logging in and checking password..

$salt = '324912343223942833294328432392';

    $passwordarray = str_split($password,2);
    $dbpasswordarray = str_split($dbpasswordarray,2);

    $password = sha1($passwordarray[0].$salt.$passwordarray[1]);
    $dbpassword = sha1($dbpasswordarray[0].$salt.$dbpasswordarray[1]);

               if ($username==$dbusername&&md5($password3)==$dbpassword)
               {

What shall i do to improve/change this code and make it more secure? .. can i have an example.. Shall i do dynamic salting and add a unique salt to each user in the database?

4

4 回答 4

3

You should use bcrypt.

The problem with MD5, SHA-1, etc is that they were designed to be fast to compute. This makes brute force and dictionary attacks easy because you can test millions of passwords per second.

Bcrypt solves this by being deliberately slow. It has a work factor that can be adjusted so that as hardware improves you can make the calculation more difficult.

Related

于 2012-06-30T04:11:26.547 回答
0

It's partly a matter of how much effort you want to put into securing your logins. In the last couple years I've been moving toward dynamic salting / each user having their own salt value. This keeps hackers from using rainbow tables if they get ahold of your database. I also use sha256 hashing.

于 2012-06-30T04:12:26.053 回答
0

Maybe you could follow the example of existing libraries or frameworks.

For example, the Django Framework explains:

How Django stores passwords

The password attribute of a User object is a string in this format:

algorithm$hash

That's a storage algorithm, and hash, separated by the dollar-sign character. The algorithm is one of a number of one way hashing or password storage algorithms Django can use; see below. The hash is the result of the one- way function.

By default, Django uses the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST. This should be sufficient for most users: it's quite secure, requiring massive amounts of computing time to break.

They also provide a helpful link on recommended practices when storing password: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf

Source: https://docs.djangoproject.com/en/dev/topics/auth/

于 2012-06-30T04:13:24.233 回答
0

我会研究一个库来处理密码散列/加盐/检查等。一个简单容易实现的是便携式 PHP 密码散列框架。这与 wordpress 和许多其他 php 应用程序使用的库相同。它会自动检查可用的最安全的 php 哈希算法。由于 php 发行版支持不同的算法。通过这种方式,您可以在不牺牲便携性的情况下获得最大可能的安全性。

我真的很喜欢它,因为它让我省去了很多头痛。在安全加密方面,我宁愿依靠比我更聪明的人。

于 2012-06-30T06:10:10.657 回答