I would use the php's crypt()function because there will not be anyway for the password to be decrypted. When I need to check the newly entered password I just have to encrypt that one and compare the two results

我会使用 php 的crypt()功能，因为无论如何都不会解密密码。当我需要检查新输入的密码时，我只需要加密那个密码并比较两个结果

SHA-512 with a salt is a good & secure way to hash a password. If that's not available you have SHA-1 but it's security is considered a bit weak these days, especially if you don't use a salt.

带盐的 SHA-512 是一种很好且安全的散列密码方法。如果这不可用，则您有 SHA-1，但如今它的安全性被认为有点弱，尤其是在您不使用盐的情况下。

Most people now agree SHA is not the best way to go, since these algorithms are bad at resisting brute-force attacks. It's better to use bcrypt, scrypt or PBKDF2 see this Q&A.

大多数人现在都同意 SHA 不是最好的方法，因为这些算法在抵抗蛮力攻击方面很糟糕。最好使用 bcrypt、scrypt 或 PBKDF2，请参阅此问答。

Here is a guide on how to implement bcrypt in php.

这是有关如何在 php 中实现 bcrypt 的指南。

1. Current thinking is to use a SLOW hash algo. This causes "brute forcers" to spend lots of time generating all those attempts.

2. Much smarter still is to track URI requests by IP and block with explanation when 5 login attempts fail from same IP within any given 5 minute period.

3. Bank-smarter still is to do #1, #2 and also require a secondary pass challenge once the first one succeeds. Triple failure at second challenge results in lock-out.

1. 目前的想法是使用 SLOW 哈希算法。这会导致“蛮力者”花费大量时间来生成所有这些尝试。

2. 更明智的做法是通过 IP 跟踪 URI 请求，并在任何给定的 5 分钟内从同一 IP 尝试 5 次登录尝试失败时，通过解释进行阻止。

3. 更聪明的银行仍然是做#1、#2，并且一旦第一个成功，还需要第二次传球挑战。第二次挑战中的三重失败会导致锁定。

Level 3 security is very, very strong. Probably too strong.

3 级安全性非常非常强。恐怕太强了。

There's a decent article here- short answer, use crypt(), and make sure you use a salt.

有一个像样的文章在这里-简答题，使用crypt()，并确保您使用的是盐。

Miki725 raises interesting points with the Matasano article Whilst sha512 is better than md5 cryptographically, bcrypt beats them all because it is slowerand thus costs more to attack. Slower is not bad the internet is slow already, it's millionsof times slower than CPU cache, and thousands of times slower than disk. Making password checks take 200ms instead of 1ms to compute is not going to bother any users.

Miki725在 Matasano 的文章中提出了有趣的观点 虽然 sha512 在密码学上优于 md5，但 bcrypt 击败了所有这些，因为它更慢，因此攻击成本更高。慢一点也不错，互联网已经很慢了，它比 CPU 缓存慢数百万倍，比磁盘慢数千倍。让密码检查花费 200 毫秒而不是 1 毫秒来计算不会打扰任何用户。

Most importantly do not forget to use a nonce that is randomlygenerated and differentfor each user.

最重要的是不要忘记使用随机生成的随机数，并且每个用户都不同。

bcrypt is going to be sub-optimal in PHP because php is interpreted and this gives the attacker some advantage but there's a how to in this stackoverflow article

bcrypt 在 PHP 中将是次优的，因为 php 是被解释的，这为攻击者提供了一些优势，但在这篇 stackoverflow 文章中有一个方法

There are a lot of options - see the php hash docsfor the complete list.

有很多选项 -有关完整列表，请参阅php hash 文档。

Speed is not an advantage, so using sha-512 or whirlpool is a good idea. You don't have to store the full length of the hash in mysql, for instance you could hash something as whirlpool, which is 128 characters long, and store only the first 64 characters for efficiency.

速度不是优势，所以使用 sha-512 或 whirlpool 是个好主意。您不必在 mysql 中存储散列的全长，例如您可以散列一些像 whirlpool 的东西，它有 128 个字符长，并且为了效率只存储前 64 个字符。