开发者

php hashed password creation

I am looking to create a commercial website using php and I wanted to make sure the code I have for user hashed password was strong enough to avoid brute force attacks.

Note that my server and it's php version does not support blowfish so I am trying to figure out a decent method of hashing a password.

$pw = "12341234";
$salt = 'randomchars';
$initial = sha1($pw);
$hashed = md5($salt . $initial);

Is there something else I should be consi开发者_如何学JAVAdering? any thoughts would be appreciated!


You want http://www.openwall.com/phpass/


I think you are not aware of the fact, that the way you hash passwords does not influence the possibility of cracking the password by brute force attack (eg. when attacker tries to provide thousands of possible passwords). It only makes password safe in case someone sees the value in the database that is used to represent this password.


For Brute Attack you can use google's captcha..

And for code password you can use first md5 and second sha1 because md5 generating 32 characters data sha1 64.. :)


Your snippet seems secure. You want to protect against rainbow table attacks, so the double-encryption is a good idea. The computing power to even generate a list of MD5 hashes of SHA1 plaintext is huge, but it's still no harm to have the salt there to protect against such an attack.


There is no need to reinvent a wheel as there is a crypt function.

// generate MD5-hashed password with salt
$password = crypt('mypassword');
// password contains string(34) "$1$bkZO1nIl$y5bzPPwByq.9tYEb64k4e0"

See examples for different types of hashes including MD5 and SHA256 in the manual: http://php.net/manual/en/function.crypt.php

I this is not enough, there are alternatives:

  • How do you use bcrypt for hashing passwords in PHP?

Keep in mind that if someone was able to lay his hand on your database, his ability to crack users' passwords will be least of your problems.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜