Please comment this method of storing user password...
$storePassword = md5Hash($salt, $userActuallyPassword);
When the user assign a password, I will generate a salt, which is a ten digit random string, and I use md5 with the userActuallyPassw开发者_如何学Cord, and I store the salt and storePassword, within store the user actually password, is this a good way to do so? Any comment on this?
It's almost good.
However, you should not use MD5, and you should use non-ASCII salt.
Instead, use bcrypt
Try using a more rigorously-studied method like PBKDF2. You'll still store a hash and a salt, and you can pick your own hashing algorithm, but you'll take care of dictionary attacks, rainbow attacks and a variety of other problems. You can find a good implementation in the comments for the hash_hmac() function.
nearly correct:
$storePassword = $salt . md5Hash($salt, $userActuallyPassword);
and instead of md5, you are better off using either SHA256 or BCrypt Hash.
Also, a ten digit random string does not have a very large entropy, you could improve by using 128 random bits instead of digits.
精彩评论