我在 PHP.net 上读到 MD5 没用,他们建议使用 crypt + salt。
所以,我去了他们的功能描述并阅读
<?php
$password = crypt('mypassword'); // let the salt be automatically generated
/* You should pass the entire results of crypt() as the salt for comparing a
password, to avoid problems when different hashing algorithms are used. (As
it says above, standard DES-based password hashing uses a 2-character salt,
but MD5-based hashing uses 12.) */
if (crypt($user_input, $password) == $password) {
echo "Password verified!";
}
?>
或者在我的情况下是这样的:
$stored_password=fetch_password($user);
if (crypt($_REQUEST['password'],$stored_password)===$stored_password) {
// ok
}
因此,当我看到盐存储在散列密码中并且您将该散列密码用作盐时,我认为 Crypt + Salt 对于输出的蛮力(设法窃取散列密码的黑客)并不更安全。它更安全吗?
对于字典攻击,我可以理解它的威力,但对于散列密码的暴力攻击,我看不到它的优势。