php 加密/解密 MySQL 数据库的密码
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5059151/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Encrypting/Decrypting Passwords to and from a MySQL database
提问by AKor
I'm starting to create a user system for my website, and what I want to do is to have the passwords encrypted, rather than plaintext. I'm using PHP/MySQL, so I figured crypt()is a good place to start. However, I'm brand new to cryptography like this, and I'm having trouble understanding exactly how it works. Does anybody know how to implement, at the simplest level, a way for passwords to be stored as an encrypted string, but always be able to be decrypted, without a security issue?
我开始为我的网站创建一个用户系统,我想要做的是加密密码,而不是明文。我正在使用 PHP/MySQL,所以我认为这crypt()是一个很好的起点。但是,我对这样的密码学是全新的,我无法准确理解它是如何工作的。有没有人知道如何在最简单的层面上实现一种将密码存储为加密字符串的方法,但始终能够解密,而不会出现安全问题?
采纳答案by Explosion Pills
Passwords should be hashed, not encrypted. That is, you should not be able to decrpyt the password. Instead, you should compare hashes.
密码应该散列,而不是加密。也就是说,您应该无法解密密码。相反,您应该比较哈希。
- User sets password
$password = 'hX4)1z' - You get hash of password and store to DB:
- 用户设置密码
$password = 'hX4)1z' - 您获得密码的哈希值并存储到数据库:
#
#
$pw = hash_hmac('sha512', 'salt' . $password, $_SERVER['site_key']);
mysql_query('INSERT INTO passwords (pw) VALUES ('$pw');
- Customer comes back later. They put in their password, and you compare it:
- 客户稍后回来。他们输入密码,然后您进行比较:
#
#
mysql_query('SELECT pw FROM passwords WHERE user_id = ?');
//$pw = fetch
if ($pw == hash_hmac('sha512', 'salt' . $_REQUEST['password'], $_SERVER['site_key']) {
echo "Logged in";
}
回答by omar
I notice people make huge deals about storing passwords.
我注意到人们在存储密码方面做了大量交易。
Agreed you shouldn't store passwords as plain texts, but if you store the one way hash and get rid of the password, hackers can still using algorithms to hack a hash hashing strings and comparing.
同意您不应该将密码存储为纯文本,但是如果您以一种方式存储散列并摆脱密码,黑客仍然可以使用算法来破解散列哈希字符串并进行比较。
Also, if you encrypt with an algorithm that you can decrypt later, that can also be hacked by figuring out the algorithm of the encryption.
此外,如果您使用稍后可以解密的算法进行加密,那么也可以通过找出加密算法来破解。
I think as long as no one can see the users' passwords outright and you simply make it difficult for hackers you're good, but people say you shouldn't encrypt because it can be decrypted but that's not fair because anything can be hacked.
我认为只要没有人可以直接看到用户的密码,并且您只是让黑客难以接受,您就很好,但是人们说您不应该加密,因为它可以被解密,但这不公平,因为任何东西都可以被黑客入侵。
回答by Sam Hogarth
PHP has some built-in has functions, such as md5(). When I was learning I found IBM's primervery useful - I'd highly recommend looking at that.
PHP 有一些内置的 has 函数,比如md5()。当我学习时,我发现IBM 的入门非常有用 - 我强烈建议您阅读它。
As an aside, I would advise againstbeing able to decrypt a password. The only person who should know their password is a user! This is why we store hashed versions of passwords which we can check against, rather than storing encrypted passwords which can be decrypted..
顺便说一句,我建议不要解密密码。唯一应该知道密码的人是用户!这就是为什么我们存储可以检查的密码的散列版本,而不是存储可以解密的加密密码。
回答by Vivek Goel
You can use md5 or better hashing technique like sha1 See password hashing http://phpsec.org/articles/2005/password-hashing.htmlfor more details.
您可以使用 md5 或更好的散列技术,如 sha1 有关更多详细信息,请参阅密码散列http://phpsec.org/articles/2005/password-hashing.html。
回答by delphist
回答by Bv202
I suggest using SHA2 with a salt to store your password.
我建议使用带盐的 SHA2 来存储您的密码。
To create a SHA2 hash, use this:
要创建 SHA2 哈希,请使用以下命令:
$hash = hash("sha512", $password.$salt);
A salt contains some extra characters to add to your password before hasing to prevent rainbow tables (databases of passwords and it's hashes). You can create one using a unique user info (like a user_id) or just create a random one and store it somewhere. Just make sure the salt is long enough.
在必须防止彩虹表(密码及其哈希的数据库)之前,盐包含一些额外的字符添加到您的密码中。您可以使用唯一的用户信息(如 user_id)创建一个,也可以随机创建一个并将其存储在某处。只要确保盐足够长。
Don't make use of MD5 anymore; it's old. See http://en.wikipedia.org/wiki/MD5#Collision_vulnerabilitiesfor more info.
不要再使用 MD5;它老了。有关更多信息,请参阅http://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities。
EDIT: These are one-way hashing algoritms. You can and should not be able to decrypt a password. If you can, then there is no point in using a hash to store passwords.
编辑:这些是单向散列算法。您可以也不应该解密密码。如果可以,那么使用散列来存储密码是没有意义的。
回答by James
No, there is always going to be a security issue with regards to where you store the encryption password. This is why websites never store the hash of the password and not the password itself. When someone registers at your website and they enter the password, you store the hash (MD5 or SHA1 or whatever, as mentioned above) of the password. When they log in later you again hash the password they entered (by the same method used when storing it) and compare. If the hashes are the same then the passwords are the same (with a very high probability!) Any website that lets you recover your password is an insecure website.
不,关于您存储加密密码的位置总是存在安全问题。这就是为什么网站从不存储密码的哈希值而不是密码本身的原因。当有人在您的网站上注册并输入密码时,您会存储密码的哈希值(MD5 或 SHA1 或其他任何内容,如上所述)。当他们稍后登录时,您再次散列他们输入的密码(使用存储密码时使用的相同方法)并进行比较。如果哈希值相同,则密码相同(很有可能!)任何让您恢复密码的网站都是不安全的网站。
