Summary of solutions for password encryption in PHP
很多用户多个网站使用一个密码,当一个密码丢失其他也遭殃,本篇文章介绍了PHP中的密码加密的解决方案总结,有需要的朋友可以了解一下。
层出不穷的类似事件对用户会造成巨大的影响,因为人们往往习惯在不同网站使用相同的密码,一家“暴库”,全部遭殃
一般的解决方案。
1、将明文密码做单向hash
$password = md5($_POST["password"]);
2、密码+salt后做单向hash,PHP内置了hash()函数,你只需要将加密方式传给hash()函数就好了。你可以直接指明sha256, sha512, md5, sha1等加密方式
<?php
function generateHashWithSalt($password) {
$intermediateSalt = md5(uniqid(rand(), true));
$salt = substr($intermediateSalt, 0, 6);
return hash("sha256", $password . $salt);
}
?>单向哈希算法有一个特性,无法通过哈希后的摘要(digest)恢复原始数据,常用的单向哈希算法包括SHA-256,SHA-1,MD5等。例如,对密码“passwordhunter”进 行SHA-256哈希后的摘要(digest)如下:
“bbed833d2c7805c4bf039b140bec7e7452125a04efa9e0b296395a9b95c2d44c”
注意:攻击者可以将所有密码的常见组合进行单向哈希,得到一个摘要组合,然后与数据库中的摘要进行比对即可获得对应的密码。这个摘要组合也被称为rainbow table。更糟糕的是,一个攻击者只要建立上述的rainbow table,可以匹配所有的密码数据库。仍然等同于一家“暴库”,全部遭殃
比较好的解决方案
Bcrypt
<?php
function generateHash($password) {
if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
$salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);
return crypt($password, $salt);
}
}
?>Bcrypt 其实就是Blowfish和crypt()函数的结合,我们这里通过CRYPT_BLOWFISH判断Blowfish是否可用,然后像上面一样生成一个盐值,不过这里需要注意的是,crypt()的盐值必须以2a2a或者2y2y开头,详细资料可以参考下面的链接:
http://www.php.net/security/crypt_blowfish.php
http://php.net/manual/en/function.crypt.php
Password Hashing API
Password Hashing API是PHP 5.5之后才有的新特性,它主要是提供下面几个函数供我们使用
password_hash() – 对密码加密.
password_verify() – 验证已经加密的密码,检验其hash字串是否一致.
password_needs_rehash() – 给密码重新加密.
password_get_info() – 返回加密算法的名称和一些相关信息.
虽然说crypt()函数在使用上已足够,但是password_hash()不仅可以使我们的代码更加简短,而且还在安全方面给了我们更好的保障,所以,现在PHP的官方都是推荐这种方式来加密用户的密码,很多流行的框架比如Laravel就是用的这种加密方式
<?php $hash = password_hash($passwod, PASSWORD_DEFAULT);?>
PASSWORD_DEFAULT目前使用的就是Bcrypt,最好的还是Password Hashing API。这里需要注意的是,如果你代码使用的都是PASSWORD_DEFAULT加密方式,那么在数据库的表中,password字段就得设置超过60个字符长度,你也可以使用PASSWORD_BCRYPT,这个时候,加密后字串总是60个字符长度。
这里使用password_hash()你完全可以不提供盐值(salt)和 消耗值 (cost),你可以将后者理解为一种性能的消耗值,cost越大,加密算法越复杂,消耗的内存也就越大。当然,如果你需要指定对应的盐值和消耗值,你可以这样写
<?php
function custom_function_for_salt(){
return $salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);
}
$password =123456;
$options = [
'salt' => custom_function_for_salt(), //write your own code to generate a suitable salt
'cost' => 12 // the default cost is 10
];
$hash = password_hash($password, PASSWORD_DEFAULT, $options);
echo $hash;
?>密码加密过后,我们需要对密码进行验证,以此来判断用户输入的密码是否正确
<?php
if (password_verify($password, $hash)) {
// Pass
}
else {
// Invalid
}直接使用password_verify就可以对我们之前加密过的字符串(存在数据库中)进行验证了
如果有时候我们需要更改我们的加密方式,如某一天我们突然想更换一下盐值或者提高一下消耗值,我们这时候就要使用到password_needs_rehash()函数了
<?php
if (password_needs_rehash($hash, PASSWORD_DEFAULT, ['cost' => 12])) {
// cost change to 12
$hash = password_hash($password, PASSWORD_DEFAULT, ['cost' => 12]);
// don't forget to store the new hash!
}只有这样,PHP的Password Hashing API才会知道我们重现更换了加密方式,这样的主要目的就是为了后面的密码验证,password_get_info(),这个函数一般可以看到下面三个信息
algo – 算法实例
algoName – 算法名字
options – 加密时候的可选参数
以上就是本文的全部内容,希望对大家的学习有所帮助。
相关推荐:
The above is the detailed content of Summary of solutions for password encryption in PHP. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian
Dec 24, 2024 pm 04:42 PM
PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati
How To Set Up Visual Studio Code (VS Code) for PHP Development
Dec 20, 2024 am 11:31 AM
Visual Studio Code, also known as VS Code, is a free source code editor — or integrated development environment (IDE) — available for all major operating systems. With a large collection of extensions for many programming languages, VS Code can be c
Explain JSON Web Tokens (JWT) and their use case in PHP APIs.
Apr 05, 2025 am 12:04 AM
JWT is an open standard based on JSON, used to securely transmit information between parties, mainly for identity authentication and information exchange. 1. JWT consists of three parts: Header, Payload and Signature. 2. The working principle of JWT includes three steps: generating JWT, verifying JWT and parsing Payload. 3. When using JWT for authentication in PHP, JWT can be generated and verified, and user role and permission information can be included in advanced usage. 4. Common errors include signature verification failure, token expiration, and payload oversized. Debugging skills include using debugging tools and logging. 5. Performance optimization and best practices include using appropriate signature algorithms, setting validity periods reasonably,
PHP Program to Count Vowels in a String
Feb 07, 2025 pm 12:12 PM
A string is a sequence of characters, including letters, numbers, and symbols. This tutorial will learn how to calculate the number of vowels in a given string in PHP using different methods. The vowels in English are a, e, i, o, u, and they can be uppercase or lowercase. What is a vowel? Vowels are alphabetic characters that represent a specific pronunciation. There are five vowels in English, including uppercase and lowercase: a, e, i, o, u Example 1 Input: String = "Tutorialspoint" Output: 6 explain The vowels in the string "Tutorialspoint" are u, o, i, a, o, i. There are 6 yuan in total
Explain late static binding in PHP (static::).
Apr 03, 2025 am 12:04 AM
Static binding (static::) implements late static binding (LSB) in PHP, allowing calling classes to be referenced in static contexts rather than defining classes. 1) The parsing process is performed at runtime, 2) Look up the call class in the inheritance relationship, 3) It may bring performance overhead.
How do you parse and process HTML/XML in PHP?
Feb 07, 2025 am 11:57 AM
This tutorial demonstrates how to efficiently process XML documents using PHP. XML (eXtensible Markup Language) is a versatile text-based markup language designed for both human readability and machine parsing. It's commonly used for data storage an
What are PHP magic methods (__construct, __destruct, __call, __get, __set, etc.) and provide use cases?
Apr 03, 2025 am 12:03 AM
What are the magic methods of PHP? PHP's magic methods include: 1.\_\_construct, used to initialize objects; 2.\_\_destruct, used to clean up resources; 3.\_\_call, handle non-existent method calls; 4.\_\_get, implement dynamic attribute access; 5.\_\_set, implement dynamic attribute settings. These methods are automatically called in certain situations, improving code flexibility and efficiency.
PHP and Python: Comparing Two Popular Programming Languages
Apr 14, 2025 am 12:13 AM
PHP and Python each have their own advantages, and choose according to project requirements. 1.PHP is suitable for web development, especially for rapid development and maintenance of websites. 2. Python is suitable for data science, machine learning and artificial intelligence, with concise syntax and suitable for beginners.
