What way is the best way to hash a password? [dupl

2019-01-26 22:14发布

问题:

This question already has an answer here:

  • Secure hash and salt for PHP passwords 14 answers

I'm working on a website that should be very safe for the users, so I need the hash the passwords. Usually I'm using the MD5, but I read that it doesn't safe anymore. So I tried PHPass, but then I read that it also has been cracked. So I tried password_hash() of PHP 5.5, but I use HostGator, and the PHP there is 5.4. Also I want to be able to add salt without knowing it (like time() * userid()), like in the password_hash().

The hash strength is very important to me because I want to be 100% sure that my users are safe. So is there a way that very safe and not something like SHA that will be hacked soon?

回答1:

Use this library which provides forward compatibility with the password_* functions.

Example usage :

require_once("password.php"); // imports the library, assuming it's in the same directory as the current script

$password = "HelloStackOverflow"; // example password

$hash = password_hash($password, PASSWORD_BCRYPT); // here's the hash of the previous password

$hash = password_hash($password, PASSWORD_BCRYPT, array("cost" => 10)); // you can set the "complexity" of the hashing algorithm, it uses more CPU power but it'll be harder to crack, even though the default is already good enough

if (password_verify($password, $hash)) { // checking if a password is valid
    /* Valid */
} else {
    /* Invalid */
}


回答2:

PHP comes with built-in hash algorithms such as MD5, SHA1 etc. However, from a security perspective, it's not recommended to use these functions to hash passwords as they can be easily broken via bruteforce attack using tools like Passwordpro.

It's better if you use salting as a way to secure your passwords. Below is an example :

$password = 'yourpassword';
$salt = 'randomstr!ng';
$password = md5($salt.$password);

An even better way of generating the salt is by hashing it first:

$password = 'yourpassword';
$salt = sha1(md5($password));
$password = md5($password.$salt);

The advantage is that this way the salt value is random and it changes for each password, making it nearly impossible to break.



回答3:

Take a look at http://php.net/manual/de/function.crypt.php

You should consider using salts to prevent rainbow table attacks You can find a tutorial here: http://www.yiiframework.com/wiki/425/use-crypt-for-password-storage/



回答4:

I tink that the best thing is using a library to manage passwords.
If you cannot use php 5.5 you can try this library that works for php5.3+, have a look at this project:

http://rchouinard.github.io/phpass/