我应该如何使用PHP哈希我的密码?

时间:2012-08-23 01:16:56

标签: php algorithm encryption hash

  

可能重复:
  Secure hash and salt for PHP passwords

我尝试使用haval160,4哈希算法创建一个使用salt哈希密码的函数。但我不明白它的安全性。我正在提供以下代码:

请告诉我如何改进安全系统。

<?php    
defined("SALT")? NULL : define("SALT", "abcdefthijklmnopqursuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*/\|[]{}()~!@#$%^&*_+:.,;1234567890");

function createSalt(){
        static $random_string;
        for($i=0;$i<64;$i++){
            $random_string .= substr(str_shuffle(SALT), 0,25);
        }
    return $random_string;
}

global $salts;// I want to store the salt value into my database with password
$salt = createSalt();
$salts = $salt;//I keep this cause I will check the matching password without database

function createPassword($input_data,$salt){
    static $hash;
    $cryc = crypt($input_data,$salt);

      $hash = hash("haval160,4",$cryc);

    return $hash;
}

$password = createPassword("123456",$salt);
$stored_password = $password ; // I stored value into a variable cause I want to test without database
//echo $password.'<hr>';

echo "Your Password: ".$password;
echo "<br/> Your SALT VALUE: ".$salt.'<hr>';

function checkPassword($uid,$password,$salts,$stored_password){//this is just a test function... actual function don't require $salts and $stored_password
    $db_uid = 1 ;
    if($uid === $db_uid){

        $db_salt = $salts;

        $db_password = createPassword($password,$db_salt);
        if($db_password == $stored_password){
            echo "Password Match";
        }else{
            echo"password don't match";
        }

    }

}

checkPassword(1,"123456",$salts,$stored_password);

?>

1 个答案:

答案 0 :(得分:2)

您不应该设计自己的加密算法。

使用此bcrypt实现:http://www.openwall.com/phpass/

require '../PasswordHash.php';
$hasher = new PasswordHash($hash_cost_log2=2, $hash_portable=false); // increase the first parameter if you need it to be slower (more secure)

// Create hash
$hash = $hasher->HashPassword($pass);

// Check password
$hasher->CheckPassword($pass, $hash);

这是您可以获得的安全,不要在寻找更安全的东西,并且不要尝试添加盐或其他任何东西。