I'm making a system which need password to enter and now my plan is make a form with only password input (since I only need on password) and then use post to authentic the password then update PHP session to logged_in but I know that the value won't show on post method but I don't really know is that secure and since it's a HTML form I don't know is there any way to encrypt/hash the input, though I have HTTPS connection and also forcing it I don't know will the password be hacked and is my method Secure
答案 0 :(得分:0)
如果你想尽可能安全,我建议:
使用以下方法在javascript中第一次哈希密码: https://github.com/emn178/js-sha256/blob/master/src/sha256.js
密码必须通过https连接发送。
在服务器端,当你收到密码时,在sha256中再次哈希(或者其他算法,没关系,但sha256安全且计算速度相对较快)并将其与包含密码的本地文件进行比较2次
回顾一下: 在javascript中哈希 - >通过https发送 - >服务器上的哈希 - >与包含双哈希
的本地文件进行比较javascript中的哈希就在这里,因为如果潜在的攻击者执行MITM,他将能够(在某些情况下)查看哈希而不是原始密码,因此即使他能够对您的服务进行身份验证使用该哈希,他将无法检索真实密码(可能在其他网站/服务上使用)
此外,如果你是偏执狂,你可以salt密码以防止使用彩虹表的任何暴力