1

可能重复:
PHP 密码的安全哈希和盐

haval160,4我尝试创建一个函数,使用散列算法用盐对我的密码进行散列。但我不明白它的安全性。我提供以下代码:

请让我知道如何改进安全系统。

<?php    
defined("SALT")? NULL : define("SALT", "abcdefthijklmnopqursuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*/\|[]{}()~!@#$%^&*_+:.,;1234567890");

function createSalt(){
        static $random_string;
        for($i=0;$i<64;$i++){
            $random_string .= substr(str_shuffle(SALT), 0,25);
        }
    return $random_string;
}

global $salts;// I want to store the salt value into my database with password
$salt = createSalt();
$salts = $salt;//I keep this cause I will check the matching password without database

function createPassword($input_data,$salt){
    static $hash;
    $cryc = crypt($input_data,$salt);

      $hash = hash("haval160,4",$cryc);

    return $hash;
}

$password = createPassword("123456",$salt);
$stored_password = $password ; // I stored value into a variable cause I want to test without database
//echo $password.'<hr>';

echo "Your Password: ".$password;
echo "<br/> Your SALT VALUE: ".$salt.'<hr>';

function checkPassword($uid,$password,$salts,$stored_password){//this is just a test function... actual function don't require $salts and $stored_password
    $db_uid = 1 ;
    if($uid === $db_uid){

        $db_salt = $salts;

        $db_password = createPassword($password,$db_salt);
        if($db_password == $stored_password){
            echo "Password Match";
        }else{
            echo"password don't match";
        }

    }

}

checkPassword(1,"123456",$salts,$stored_password);

?>
4

1 回答 1

2

您不应该设计自己的加密算法。

使用这个 bcrypt 实现:http ://www.openwall.com/phpass/

require '../PasswordHash.php';
$hasher = new PasswordHash($hash_cost_log2=2, $hash_portable=false); // increase the first parameter if you need it to be slower (more secure)

// Create hash
$hash = $hasher->HashPassword($pass);

// Check password
$hasher->CheckPassword($pass, $hash);

这是尽可能安全的,不要费心寻找“更安全”的东西,也不要尝试添加盐或其他任何东西。

于 2012-08-23T01:32:08.800 回答